commit 72b6ac9075afff486072049416d38b44c046c9f2
author Hall Liu <hallliu@google.com> Thu Aug 29 14:33:18 2019 -0700
committer android-build-merger <android-build-merger@google.com> Thu Aug 29 14:33:18 2019 -0700
tree 85e993723b9af8f2123259e0992c5f5b7ff13c6e
parent 7ed308ef9e05cdf99efbb9c69674a2712c8b7dee
parent 6b46d4d0686437dd015afd88d7edf38cea9df00c

[automerger] Fix the remaining holes for access to APN data am: 09a82c2251 am: 10a01c5555 am: d2a5f1c5a3 am: 322a534216
am: 6b46d4d068

Change-Id: Ie09e4e42e965d9d5e7de4de5e21bd2b2390b9b74

src/com/android/providers/telephony/TelephonyProvider.java

diff --git a/src/com/android/providers/telephony/TelephonyProvider.java b/src/com/android/providers/telephony/TelephonyProvider.java
index 48778b6..91167b1 100644
--- a/src/com/android/providers/telephony/TelephonyProvider.java
+++ b/src/com/android/providers/telephony/TelephonyProvider.java
@@ -162,6 +162,10 @@
     private static final String OTA_UPDATED_APNS_PATH = "misc/apns-conf.xml";
     private static final String OLD_APNS_PATH = "etc/old-apns-conf.xml";
 
+    // Used to check if certain queries contain subqueries that may attempt to access sensitive
+    // fields in the carriers db.
+    private static final String SQL_SELECT_TOKEN = "select";
+
     private static final UriMatcher s_urlMatcher = new UriMatcher(UriMatcher.NO_MATCH);
 
     private static final ContentValues s_currentNullMap;
@@ -2058,25 +2062,26 @@
             }
         }
 
-        if (match != URL_SIMINFO) {
-            // Determine if we need to do a check for fields in the selection
-            boolean selectionOrSortContainsSensitiveFields;
-            try {
-                selectionOrSortContainsSensitiveFields = containsSensitiveFields(selection);
-                selectionOrSortContainsSensitiveFields |= containsSensitiveFields(sort);
-            } catch (Exception e) {
-                // Malformed sql, check permission anyway.
-                selectionOrSortContainsSensitiveFields = true;
-            }
+        // Determine if we need to do a check for fields in the selection
+        boolean selectionOrSortContainsSensitiveFields;
+        try {
+            selectionOrSortContainsSensitiveFields = containsSensitiveFields(selection);
+            selectionOrSortContainsSensitiveFields |= containsSensitiveFields(sort);
+        } catch (Exception e) {
+            // Malformed sql, check permission anyway.
+            selectionOrSortContainsSensitiveFields = true;
+        }
 
-            if (selectionOrSortContainsSensitiveFields) {
-                try {
-                    checkPermission();
-                } catch (SecurityException e) {
-                    EventLog.writeEvent(0x534e4554, "124107808", Binder.getCallingUid());
-                    throw e;
-                }
+        if (selectionOrSortContainsSensitiveFields) {
+            try {
+                checkPermission();
+            } catch (SecurityException e) {
+                EventLog.writeEvent(0x534e4554, "124107808", Binder.getCallingUid());
+                throw e;
             }
+        }
+
+        if (match != URL_SIMINFO) {
             if (projectionIn != null) {
                 for (String column : projectionIn) {
                     if (TYPE.equals(column) ||
@@ -2124,9 +2129,10 @@
     private boolean containsSensitiveFields(String sqlStatement) {
         try {
             SqlTokenFinder.findTokens(sqlStatement, s -> {
-                switch (s) {
+                switch (s.toLowerCase()) {
                     case USER:
                     case PASSWORD:
+                    case SQL_SELECT_TOKEN:
                         throw new SecurityException();
                 }
             });