Merge cherrypicks of [9428056, 9428057, 9428058, 9428059, 9427659, 9428140, 9428141, 9427864, 9428122, 9428123, 9428124, 9428180, 9428181, 9427966, 9427967, 9427968, 9427969, 9427970, 9427971, 9427972, 9427973, 9428182, 9428183, 9428184, 9428104, 9427370, 9428126, 9427923, 9427974, 9427975, 9428127, 9428185] into sparse-5831595-L25200000368072328
Change-Id: I180abe8c6569d38c0a660263beb24dc291f72a1d
diff --git a/src/com/android/providers/telephony/TelephonyProvider.java b/src/com/android/providers/telephony/TelephonyProvider.java
index c7f1c9b..d9e368d 100644
--- a/src/com/android/providers/telephony/TelephonyProvider.java
+++ b/src/com/android/providers/telephony/TelephonyProvider.java
@@ -207,6 +207,10 @@
private static final String DEFAULT_PROTOCOL = "IP";
private static final String DEFAULT_ROAMING_PROTOCOL = "IP";
+ // Used to check if certain queries contain subqueries that may attempt to access sensitive
+ // fields in the carriers db.
+ private static final String SQL_SELECT_TOKEN = "select";
+
private static final UriMatcher s_urlMatcher = new UriMatcher(UriMatcher.NO_MATCH);
private static final ContentValues s_currentNullMap;
@@ -3029,27 +3033,27 @@
private void checkQueryPermission(int match, String[] projectionIn, String selection,
String sort) {
- if (match != URL_SIMINFO && match != URL_SIMINFO_USING_SUBID) {
- // Determine if we need to do a check for fields in the selection
- boolean selectionOrSortContainsSensitiveFields;
+ // Determine if we need to do a check for fields in the selection
+ boolean selectionOrSortContainsSensitiveFields;
+ try {
+ selectionOrSortContainsSensitiveFields = containsSensitiveFields(selection);
+ selectionOrSortContainsSensitiveFields |= containsSensitiveFields(sort);
+ } catch (IllegalArgumentException e) {
+ // Malformed sql, check permission anyway and return.
+ checkPermission();
+ return;
+ }
+
+ if (selectionOrSortContainsSensitiveFields) {
try {
- selectionOrSortContainsSensitiveFields = containsSensitiveFields(selection);
- selectionOrSortContainsSensitiveFields |= containsSensitiveFields(sort);
- } catch (IllegalArgumentException e) {
- // Malformed sql, check permission anyway and return.
checkPermission();
- return;
+ } catch (SecurityException e) {
+ EventLog.writeEvent(0x534e4554, "124107808", Binder.getCallingUid());
+ throw e;
}
+ }
- if (selectionOrSortContainsSensitiveFields) {
- try {
- checkPermission();
- } catch (SecurityException e) {
- EventLog.writeEvent(0x534e4554, "124107808", Binder.getCallingUid());
- throw e;
- }
- }
-
+ if (match != URL_SIMINFO && match != URL_SIMINFO_USING_SUBID) {
if (projectionIn != null) {
for (String column : projectionIn) {
if (TYPE.equals(column) ||
@@ -3077,9 +3081,10 @@
private boolean containsSensitiveFields(String sqlStatement) {
try {
SqlTokenFinder.findTokens(sqlStatement, s -> {
- switch (s) {
+ switch (s.toLowerCase()) {
case USER:
case PASSWORD:
+ case SQL_SELECT_TOKEN:
throw new SecurityException();
}
});