DO NOT MERGE Fix the remaining holes for access to APN data
Add the following checks for preventing unauthorized access to the APN
username and password fields in the carrier db:
1. Check the query for sensitive fields no matter what URI is being
queried
2. Perform a case-insensitive search for sensitive fields
3. Always check the permission for accessing username/password if any
part of the query contains a subquery (detected via looking for the
"select" token).
Bug: 138802882
Test: CTS
Change-Id: I59b297642d2000dde0a83f77b20112c7382b7ef1
(cherry picked from commit 30a633ac17b2a6f35068cbb57c8f12c5c683b5f6)
diff --git a/src/com/android/providers/telephony/TelephonyProvider.java b/src/com/android/providers/telephony/TelephonyProvider.java
index c7f1c9b..d9e368d 100644
--- a/src/com/android/providers/telephony/TelephonyProvider.java
+++ b/src/com/android/providers/telephony/TelephonyProvider.java
@@ -207,6 +207,10 @@
private static final String DEFAULT_PROTOCOL = "IP";
private static final String DEFAULT_ROAMING_PROTOCOL = "IP";
+ // Used to check if certain queries contain subqueries that may attempt to access sensitive
+ // fields in the carriers db.
+ private static final String SQL_SELECT_TOKEN = "select";
+
private static final UriMatcher s_urlMatcher = new UriMatcher(UriMatcher.NO_MATCH);
private static final ContentValues s_currentNullMap;
@@ -3029,27 +3033,27 @@
private void checkQueryPermission(int match, String[] projectionIn, String selection,
String sort) {
- if (match != URL_SIMINFO && match != URL_SIMINFO_USING_SUBID) {
- // Determine if we need to do a check for fields in the selection
- boolean selectionOrSortContainsSensitiveFields;
+ // Determine if we need to do a check for fields in the selection
+ boolean selectionOrSortContainsSensitiveFields;
+ try {
+ selectionOrSortContainsSensitiveFields = containsSensitiveFields(selection);
+ selectionOrSortContainsSensitiveFields |= containsSensitiveFields(sort);
+ } catch (IllegalArgumentException e) {
+ // Malformed sql, check permission anyway and return.
+ checkPermission();
+ return;
+ }
+
+ if (selectionOrSortContainsSensitiveFields) {
try {
- selectionOrSortContainsSensitiveFields = containsSensitiveFields(selection);
- selectionOrSortContainsSensitiveFields |= containsSensitiveFields(sort);
- } catch (IllegalArgumentException e) {
- // Malformed sql, check permission anyway and return.
checkPermission();
- return;
+ } catch (SecurityException e) {
+ EventLog.writeEvent(0x534e4554, "124107808", Binder.getCallingUid());
+ throw e;
}
+ }
- if (selectionOrSortContainsSensitiveFields) {
- try {
- checkPermission();
- } catch (SecurityException e) {
- EventLog.writeEvent(0x534e4554, "124107808", Binder.getCallingUid());
- throw e;
- }
- }
-
+ if (match != URL_SIMINFO && match != URL_SIMINFO_USING_SUBID) {
if (projectionIn != null) {
for (String column : projectionIn) {
if (TYPE.equals(column) ||
@@ -3077,9 +3081,10 @@
private boolean containsSensitiveFields(String sqlStatement) {
try {
SqlTokenFinder.findTokens(sqlStatement, s -> {
- switch (s) {
+ switch (s.toLowerCase()) {
case USER:
case PASSWORD:
+ case SQL_SELECT_TOKEN:
throw new SecurityException();
}
});