diff options
| author | Jeff Sharkey <jsharkey@android.com> | 2019-07-17 18:54:49 -0600 |
|---|---|---|
| committer | Bryan Ferris <bferris@google.com> | 2019-09-10 20:46:41 +0000 |
| commit | ffec00b013a34800681ec90c88ad40337aa20c1a (patch) | |
| tree | 5163edb302254b9dd7de196e9cd23de5aa1a6d41 /ui | |
| parent | 14a5b9171ae9817e03bfef4daf988ab1e9528e59 (diff) | |
| download | android_packages_providers_DownloadProvider-ffec00b013a34800681ec90c88ad40337aa20c1a.tar.gz android_packages_providers_DownloadProvider-ffec00b013a34800681ec90c88ad40337aa20c1a.tar.bz2 android_packages_providers_DownloadProvider-ffec00b013a34800681ec90c88ad40337aa20c1a.zip | |
RESTRICT AUTOMERGE Enable stricter SQLiteQueryBuilder options.
Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.
This change starts using setStrictColumns() and setStrictGrammar()
on SQLiteQueryBuilder to block this class of attacks. This means we
now need to define the projection mapping of valid columns, which
consists of both the columns defined in the public API and columns
read internally by DownloadInfo.Reader.
We're okay growing sAppReadableColumnsSet like this, since we're
relying on our trusted WHERE clause to filter away any rows that
don't belong to the calling UID.
Remove the legacy Lexer code, since we're now internally relying on
the robust and well-tested SQLiteTokenizer logic.
Bug: 135270103, 135269143
Test: atest DownloadProviderTests
Test: atest CtsAppTestCases:android.app.cts.DownloadManagerTest
Change-Id: I8e595e1470df586a3d593b7851305da413e44347
Diffstat (limited to 'ui')
0 files changed, 0 insertions, 0 deletions