tag fdc85a99a8f2ac392524c0983c8f4ec869c496d5
tagger The Android Open Source Project <initial-contribution@android.com> Mon Apr 05 15:02:21 2021 -0700
object 1730e9b26321596c6c47de00cca3b88b9948d38e

Android security 8.1.0 release 87

commit 1730e9b26321596c6c47de00cca3b88b9948d38e
author Jeff Sharkey <jsharkey@android.com> Wed Jul 17 18:54:49 2019 -0600
committer Max Spector <mspector@google.com> Wed Sep 18 17:13:22 2019 -0700
tree 5989f28139d5b847122875749aee37c69121adfb
parent dea9d8bdec120fb1e1fa44561fb1215034fba48f

RESTRICT AUTOMERGE
Enable stricter SQLiteQueryBuilder options.

Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.

This change starts using setStrictColumns() and setStrictGrammar()
on SQLiteQueryBuilder to block this class of attacks.  This means we
now need to define the projection mapping of valid columns, which
consists of both the columns defined in the public API and columns
read internally by DownloadInfo.Reader.

We're okay growing sAppReadableColumnsSet like this, since we're
relying on our trusted WHERE clause to filter away any rows that
don't belong to the calling UID.

Remove the legacy Lexer code, since we're now internally relying on
the robust and well-tested SQLiteTokenizer logic.

Bug: 135270103
Bug: 135269143
Test: cts-tradefed run cts -m CtsAppTestCases -t android.app.cts.DownloadManagerTest
Change-Id: I302091ceda3591785b2124575e89dad19bc97469
(cherry picked from commit a9533dcd628fc8f83e9cf948fc4ca09c2d139e2b)