git.osdn.net Git - android-x86/frameworks-base.git/commit

author	Jeff Sharkey <jsharkey@android.com>
	Thu, 18 Jul 2019 00:51:28 +0000 (18:51 -0600)
committer	Max Spector <mspector@google.com>
	Thu, 19 Sep 2019 00:13:41 +0000 (17:13 -0700)
commit	35dba262656ab4b68070ae074ce620f80493a274
tree	5add5ebc3ebae13a572bf6cf168e17f7fc057781	tree \| snapshot
parent	ce56aee7ee2593fbf54c017d4a7b0c52110aed89	commit \| diff

RESTRICT AUTOMERGE
Enable stricter SQLiteQueryBuilder options.

Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.

This change starts using setStrictColumns() and setStrictGrammar()
on SQLiteQueryBuilder to block this class of attacks. This means we
now need to define the projection mapping of valid columns, which
consists of both the columns defined in the public API and columns
read internally by DownloadInfo.Reader.

We're okay growing sAppReadableColumnsSet like this, since we're
relying on our trusted WHERE clause to filter away any rows that
don't belong to the calling UID.

Remove the legacy Lexer code, since we're now internally relying on
the robust and well-tested SQLiteTokenizer logic.

Bug: 135270103, 135269143
Test: cts-tradefed run cts -m CtsAppTestCases -t android.app.cts.DownloadManagerTest
Change-Id: Iec1e8ce18dc4a9564318e0473d9d3863c8c2988a
(cherry picked from commit f683c688d5fcd1c178aad2dc154ae5d7b5c60aa9)