tag 032ecc0083d609f0842f32abca2973380eea2f33
tagger The Android Open Source Project <initial-contribution@android.com> Mon Aug 02 15:55:10 2021 -0700
object d8b3c66241121747aab72140c983eafb3d4f127a

Android Security 8.1.0 Release 91 (7449185)

commit d8b3c66241121747aab72140c983eafb3d4f127a
author Jeff Sharkey <jsharkey@android.com> Mon Sep 24 13:49:30 2018 -0600
committer Rohit Yengisetty <rngy@google.com> Tue Oct 16 16:21:14 2018 -0700
tree 90a4d93d7cdf29a5c8202f9e98d37fd22bf84531
parent 9eaf62730763d2b8bfe571699f0d796ee0ea2fe3

Recover shady content:// paths.

The path-permission element offers prefix or regex style matching of
paths, but most providers internally use UriMatcher to decide what
to do with an incoming Uri.

This causes trouble because UriMatcher uses Uri.getPathSegments(),
which quietly ignores "empty" paths.  Consider this example:

    <path-permission android:pathPrefix="/private" ... />

    uriMatcher.addURI("com.example", "/private", CODE_PRIVATE);

    content://com.example//private

The Uri above will pass the security check, since it's not
technically a prefix match.  But the UriMatcher will then match it
as CODE_PRIVATE, since it ignores the "//" zero-length path.

Since we can't safely change the behavior of either path-permission
or UriMatcher, we're left with recovering these shady paths by
trimming away zero-length paths.

Bug: 112555574
cts-tradefed run cts -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
Change-Id: Ia62aa19b7d554b806b29875eb6e397adfe69d23b
Merged-In: Ia62aa19b7d554b806b29875eb6e397adfe69d23b

(cherry picked from commit 3a22542c503d70dcf98e22a06ac9caa0ce8e5ab3)