Merge "Snap for 5986893 from 0830975e2ef30b652d0f0ab906a54f769e4d6fa4 to android10-tests-release" into android10-tests-release
diff --git a/src/com/android/providers/telephony/TelephonyProvider.java b/src/com/android/providers/telephony/TelephonyProvider.java
index 918a841..d9e368d 100644
--- a/src/com/android/providers/telephony/TelephonyProvider.java
+++ b/src/com/android/providers/telephony/TelephonyProvider.java
@@ -138,7 +138,6 @@
import java.util.Locale;
import java.util.Map;
import java.util.Set;
-import java.util.function.Consumer;
import java.util.zip.CRC32;
public class TelephonyProvider extends ContentProvider
@@ -208,6 +207,10 @@
private static final String DEFAULT_PROTOCOL = "IP";
private static final String DEFAULT_ROAMING_PROTOCOL = "IP";
+ // Used to check if certain queries contain subqueries that may attempt to access sensitive
+ // fields in the carriers db.
+ private static final String SQL_SELECT_TOKEN = "select";
+
private static final UriMatcher s_urlMatcher = new UriMatcher(UriMatcher.NO_MATCH);
private static final ContentValues s_currentNullMap;
@@ -2819,7 +2822,7 @@
List<String> constraints = new ArrayList<String>();
int match = s_urlMatcher.match(url);
- checkQueryPermission(match, projectionIn, selection);
+ checkQueryPermission(match, projectionIn, selection, sort);
switch (match) {
case URL_TELEPHONY_USING_SUBID: {
subIdString = url.getLastPathSegment();
@@ -3028,27 +3031,29 @@
return ret;
}
- private void checkQueryPermission(int match, String[] projectionIn, String selection) {
- if (match != URL_SIMINFO && match != URL_SIMINFO_USING_SUBID) {
- // Determine if we need to do a check for fields in the selection
- boolean selectionContainsSensitiveFields;
+ private void checkQueryPermission(int match, String[] projectionIn, String selection,
+ String sort) {
+ // Determine if we need to do a check for fields in the selection
+ boolean selectionOrSortContainsSensitiveFields;
+ try {
+ selectionOrSortContainsSensitiveFields = containsSensitiveFields(selection);
+ selectionOrSortContainsSensitiveFields |= containsSensitiveFields(sort);
+ } catch (IllegalArgumentException e) {
+ // Malformed sql, check permission anyway and return.
+ checkPermission();
+ return;
+ }
+
+ if (selectionOrSortContainsSensitiveFields) {
try {
- selectionContainsSensitiveFields = containsSensitiveFields(selection);
- } catch (IllegalArgumentException e) {
- // Malformed sql, check permission anyway and return.
checkPermission();
- return;
+ } catch (SecurityException e) {
+ EventLog.writeEvent(0x534e4554, "124107808", Binder.getCallingUid());
+ throw e;
}
+ }
- if (selectionContainsSensitiveFields) {
- try {
- checkPermission();
- } catch (SecurityException e) {
- EventLog.writeEvent(0x534e4554, "124107808", Binder.getCallingUid());
- throw e;
- }
- }
-
+ if (match != URL_SIMINFO && match != URL_SIMINFO_USING_SUBID) {
if (projectionIn != null) {
for (String column : projectionIn) {
if (TYPE.equals(column) ||
@@ -3076,9 +3081,10 @@
private boolean containsSensitiveFields(String sqlStatement) {
try {
SqlTokenFinder.findTokens(sqlStatement, s -> {
- switch (s) {
+ switch (s.toLowerCase()) {
case USER:
case PASSWORD:
+ case SQL_SELECT_TOKEN:
throw new SecurityException();
}
});