This project is mirrored from Pull mirroring updated .
  1. 21 Jan, 2019 1 commit
  2. 13 Jan, 2019 1 commit
  3. 07 Jan, 2019 1 commit
  4. 27 Dec, 2018 1 commit
  5. 17 Dec, 2018 1 commit
  6. 16 Dec, 2018 2 commits
    • Jeff Sharkey's avatar
      RESTRICT AUTOMERGE: Recover shady content:// paths. · b98c5a95
      Jeff Sharkey authored
      The path-permission element offers prefix or regex style matching of
      paths, but most providers internally use UriMatcher to decide what
      to do with an incoming Uri.
      This causes trouble because UriMatcher uses Uri.getPathSegments(),
      which quietly ignores "empty" paths.  Consider this example:
          <path-permission android:pathPrefix="/private" ... />
          uriMatcher.addURI("com.example", "/private", CODE_PRIVATE);
      The Uri above will pass the security check, since it's not
      technically a prefix match.  But the UriMatcher will then match it
      as CODE_PRIVATE, since it ignores the "//" zero-length path.
      Since we can't safely change the behavior of either path-permission
      or UriMatcher, we're left with recovering these shady paths by
      trimming away zero-length paths.
      Bug: 112555574
      Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
      Change-Id: Ibadbfa4fc904ec54780c8102958735b03293fb9a
      (cherry picked from commit a1ec7b11)
    • Robin Lee's avatar
      Pass userId through to singleton ContentProviders · 019a7eab
      Robin Lee authored
      System content providers like SettingsProvider run as singleUser but
      on receipt of a call make decisions based on the calling user ID.
      This is right up until the caller is a system service or a cross-user-
      -aware app like Settings, where putStringForUser etc. provide a
      workaround for most settings but not for the few files SettingsProvider
      Change-Id: I90060c9c13e274edd71f8a16ab3a026a58b98e3e
  7. 04 Dec, 2018 1 commit
    • Wayne Lin's avatar
      Changing SUPL_ES=1 for SUPL end point control · b3f380d3
      Wayne Lin authored
      SUPL_ES=1 ensures the GnssLocationProvider and related framework code
      accepts incoming SMS SUPL_INIT messages with ES-bit=1
      (which allow redirection of the ESLP
      end-point e.g. to the current local emergency services provider when
      you are travelling) only during an emergency call
      Bug: 115331218
      Bug: 112159033
      Test: Build pass
      Change-Id: I5075f7887a184ce18bb1815b35a2ce7acd8bca10
      (cherry picked from commit 02f38c72)
  8. 30 Nov, 2018 1 commit
  9. 24 Nov, 2018 1 commit
  10. 19 Nov, 2018 1 commit
  11. 13 Nov, 2018 1 commit
  12. 12 Nov, 2018 2 commits
    • Michael Wachenschwanz's avatar
      Verify number of Map entries written to Parcel · 3cab1737
      Michael Wachenschwanz authored
      Make sure the number of entries written by Parcel#writeMapInternal
      matches the size written. If a mismatch were allowed, an exploitable
      scenario could occur where the data read from the Parcel would not
      match the data written.
      Fixes: 112859604
      Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest
      Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
      Merged-In: I325d08a8b66b6e80fe76501359c41b6656848607
      (cherry picked from commit 057a01d1)
    • vince-bourgmayer's avatar
  13. 06 Nov, 2018 1 commit
    • Wale Ogunwale's avatar
      RESTRICT AUTOMERGE: Hide overlay windows when requesting media projection permission. · 5b9f020c
      Wale Ogunwale authored
      1: Cherry-pick ag/4067454 - Setting PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS
      updateNonSystemOverlayWindowsVisibilityIfNeeded on relayoutWindow
      2: Cherry-pick ag/3650369 - If PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS changed on
      relayoutWindow() then updateNonSystemOverlayWindowsVisibilityIfNeeded
      3: Add permissions to SystemUI to allow it to hide non-system overlays
      Bug: 34170870
      Test: manual (see bug for poc)
      Change-Id: I57cb0f390d9a78e721c5ddce49a377d385002753
      (cherry picked from commit 40f7b583)
  14. 31 Oct, 2018 1 commit
  15. 30 Oct, 2018 7 commits
    • Seigo Nonaka's avatar
      Fix crash during cursor moving on BiDi text · 04a3be40
      Seigo Nonaka authored
      The crash was introduced by Ib66ef392c19c937718e7101f6d48fac3abe51ad0
      The root cause of the crashing is requesting out-of-line access for the
      horizontal width. This invalid access is silently ignored by
      TextLine#measure() method but new implementation end up with out of
      bounds access.
      To makes behavior as old implementation, calling getHorizontal instead
      of accessing measured result array.
      Bug: 78464361, 111580019
      Test: Manually done
      Change-Id: I5c5778718f6b397adbb1e4f2cf95e9f635f6e5c8
      (cherry picked from commit 960647d5)
      Merged-In: I5c5778718f6b397adbb1e4f2cf95e9f635f6e5c8
      (cherry picked from commit a1076fda)
    • Jeff Sharkey's avatar
      DO NOT MERGE. Persistable Uri grants still require permissions. · 31824b99
      Jeff Sharkey authored
      When FLAG_GRANT_PERSISTABLE_URI_PERMISSION is requested, we still
      need to check permissions between the source and target packages,
      instead of shortcutting past them.
      The spirit of the original change is remains intact: if the caller
      requested FLAG_GRANT_PERSISTABLE_URI_PERMISSION, then we avoid
      returning "-1", which would prevent the grant data structure from
      being allocated.
      Bug: 111934948
      Test: atest android.appsecurity.cts.AppSecurityTests
      Change-Id: Ief0fc922aa09fc3d9bb6a126c2ff5855347cd030
      Merged-In: Ief0fc922aa09fc3d9bb6a126c2ff5855347cd030
      (cherry picked from commit d6a6e712)
    • Jeff Sharkey's avatar
      Always create grant structures when persistable. · bd7f6a82
      Jeff Sharkey authored
      Certain apps may already hold permissions to an underlying provider,
      but they expect APIs like takePersistableUriPermission() and
      getPersistedUriPermissions() to work when a permission grant was
      Test: builds, boots
      Bug: 31239684
      Change-Id: I4b21c57956b70133ecadb50d0d3ee339f41e2260
    • Mihai Popa's avatar
      Optimise the hit test algorithm · bf76beec
      Mihai Popa authored
      Layout#getOffsetForHorizontal was running in O(n^2) time, where n is the
      length of the current line. The method is used when a touch event
      happens on a text line, to compute the cursor offset (and the character)
      where it happened. Although this is not an issue in common usecases,
      where the number of characters on a line is relatively small, this can
      be very inefficient as a consequence of Unicode containing 0-width
      (invisible) characters. Specifically, there are characters defining the
      text direction (LTR or RTL), which cause our algorithm to touch the
      worst case quadratic runtime. For example, a person is able to send a
      message containing a few visible characters, and also a lot of these
      direction changing invisible ones. When the receiver touches the message
      (causing the Layout#getOffsetForHorizontal method to be called), the
      receiver's application would become not responsive.
      This CL optimizes the method to run in O(n) worst case. This is achieved
      by computing the measurements of all line prefixes at first, which can
      be done in a single pass. Then, all the prefix measurement queries will
      be answered in O(1), rather than O(n) as it was happening before.
      Bug: 79215201
      Test: manual testing
      Change-Id: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
      Merged-In: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
    • Ben Lin's avatar
      Add support for search in DownloadManager. · 9f63f94c
      Ben Lin authored
      Bug: 26524617
      Change-Id: I41c0f92381bec8ad06db73b25ec67466f368b55c
    • Jeff Sharkey's avatar
      DO NOT MERGE. Extend SQLiteQueryBuilder for update and delete. · c8304458
      Jeff Sharkey authored
      Developers often accept selection clauses from untrusted code, and
      SQLiteQueryBuilder already supports a "strict" mode to help catch
      SQL injection attacks.  This change extends the builder to support
      update() and delete() calls, so that we can help secure those
      selection clauses too.
      Bug: 111085900
      Test: atest packages/providers/DownloadProvider/tests/
      Test: atest cts/tests/app/src/android/app/cts/
      Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/
      Change-Id: Ib4fc8400f184755ee7e971ab5f2095186341730c
      Merged-In: Ib4fc8400f184755ee7e971ab5f2095186341730c
      (cherry picked from commit 50699426)
    • Jeff Sharkey's avatar
      DO NOT MERGE. Execute "strict" queries with extra parentheses. · 2671e7cf
      Jeff Sharkey authored
      SQLiteQueryBuilder has a setStrict() mode which can be used to
      detect SQL attacks from untrusted sources, which it does by running
      each query twice: once with an extra set of parentheses, and if that
      succeeds, it runs the original query verbatim.
      This sadly doesn't catch inputs of the type "1=1) OR (1=1", which
      creates valid statements for both tests above, but the final executed
      query ends up leaking data due to SQLite operator precedence.
      Instead, we need to continue compiling both variants, but we need
      to execute the query with the additional parentheses to ensure
      data won't be leaked.
      Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/
      Bug: 111085900
      Change-Id: I6e8746fa48f9de13adae37d2990de11c9c585381
      Merged-In: I6e8746fa48f9de13adae37d2990de11c9c585381
      (cherry picked from commit 57b04a86)
  16. 23 Oct, 2018 1 commit
  17. 14 Oct, 2018 1 commit
  18. 24 Sep, 2018 1 commit
  19. 23 Sep, 2018 2 commits
    • Makoto Onuki's avatar
      Backport Prevent shortcut info package name spoofing · 0d0bcfe9
      Makoto Onuki authored
      Test: cts-tradefed run cts -m CtsShortcutManagerTestCases -t
      Bug: 109824443
      Change-Id: I90443973aaef157d357b98b739572866125b2bbc
      Merged-In: I78948446a63b428ae750464194558fd44a658493
      (cherry picked from commit 9e21579a)
    • Robert Shih's avatar
      Fix TrackInfo parcel write · ba67df1a
      Robert Shih authored
      Bug: 77600398
      Change-Id: Ia316f1c5dc4879f6851fdb78fe8b9039579be7bc
      (cherry picked from commit 0d2dc943)
  20. 06 Sep, 2018 1 commit
  21. 31 Aug, 2018 5 commits
  22. 25 Aug, 2018 1 commit
  23. 23 Aug, 2018 1 commit
  24. 17 Aug, 2018 1 commit
  25. 16 Aug, 2018 1 commit
    • Todd Kennedy's avatar
      Make safe label more safe · 17d17094
      Todd Kennedy authored
      * limit the absolute maximum size of the label to 50000 characters
      [which is probably far more than necessary, but, can be dialed down]
      * use a string buffer while processing the string [instead of creating
      multiple string objects]
      Bug: 62537081
      Test: Manual. Install APK in bug and see that it can be uninstalled
      Change-Id: Ibf63c2691ad7438a123e92110d95b1f50050f8b1
      Merged-In: Ibf63c2691ad7438a123e92110d95b1f50050f8b1
      (cherry picked from commit 2263da95)
  26. 11 Aug, 2018 1 commit
  27. 07 Aug, 2018 1 commit