This project is mirrored from Updated .
  1. 15 Mar, 2019 2 commits
  2. 13 Mar, 2019 2 commits
  3. 12 Mar, 2019 1 commit
  4. 11 Mar, 2019 1 commit
  5. 05 Mar, 2019 2 commits
    • Guliz Tuncay's avatar
      Select only preinstalled Spell Checker Services · becc0144
      Guliz Tuncay authored
      When we are setting a new spell checker as the default one in
      Secure.Settings, TSMS#findAvailSpellCheckerLocked can pick up
      any available spell checker service. This violates the principle
      that user should be warned whenever we are setting an untrusted
      spell checker service as the default service, since the warning
      dialog is never shown.
      Fixes: 64764051
      Bug: 118694079
      Test: Manually as follows:
      1. Open 'packages/inputmethods/LatinIME/java/AndroidManifest.xml'
           and remove 'AndroidSpellCheckerService'
      2. lunch aosp_buillhead-userdebug && make -j
      3. Flash the image
      4. adb shell dumpsys textservices
          -> no spell checker is recognized
      5. adb shell settings get secure selected_spell_checker
          -> null
      6. tapas SampleSpellCheckerService
      7. make -j
      8. adb install -r $OUT/system/app/SampleSpellCheckerService/SampleSpellCheckerService.apk
      9. adb shell dumpsys textservices
          -> SampleSpellCheckerService is recognized
      10. adb shell settings get secure selected_spell_checker
          -> null
      Change-Id: I16f12293d15258c9148677c7ee09fe6dcf81e81d
      Merged-In: Idab3ecc246fe9344a09e6907a0ba39f8ea6506f9
      (cherry picked from commit ed5973b8a8a2c0f0fc1f39c59c33f81882f41405)
    • Tony Mak's avatar
      RESTRICT AUTOMERGE Do not linkify text with RLO/LRO characters. · 7c411a06
      Tony Mak authored
      Also don't show smart actions for selections in text with unsupported
      Bug: 116321860
      Test: runtest -x cts/tests/tests/text/src/android/text/util/cts/
      Change-Id: Id271cab8aef6b9b13ef17f1a8654c7616f75cf13
      (cherry picked from commit 73f398d306a8acf2dbb1dcff4042ecbaec5506a3)
  6. 19 Feb, 2019 1 commit
  7. 15 Feb, 2019 1 commit
  8. 24 Jan, 2019 1 commit
  9. 21 Jan, 2019 1 commit
  10. 13 Jan, 2019 1 commit
  11. 07 Jan, 2019 1 commit
  12. 27 Dec, 2018 1 commit
  13. 17 Dec, 2018 1 commit
  14. 16 Dec, 2018 2 commits
    • Jeff Sharkey's avatar
      RESTRICT AUTOMERGE: Recover shady content:// paths. · b98c5a95
      Jeff Sharkey authored
      The path-permission element offers prefix or regex style matching of
      paths, but most providers internally use UriMatcher to decide what
      to do with an incoming Uri.
      This causes trouble because UriMatcher uses Uri.getPathSegments(),
      which quietly ignores "empty" paths.  Consider this example:
          <path-permission android:pathPrefix="/private" ... />
          uriMatcher.addURI("com.example", "/private", CODE_PRIVATE);
      The Uri above will pass the security check, since it's not
      technically a prefix match.  But the UriMatcher will then match it
      as CODE_PRIVATE, since it ignores the "//" zero-length path.
      Since we can't safely change the behavior of either path-permission
      or UriMatcher, we're left with recovering these shady paths by
      trimming away zero-length paths.
      Bug: 112555574
      Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
      Change-Id: Ibadbfa4fc904ec54780c8102958735b03293fb9a
      (cherry picked from commit a1ec7b11)
    • Robin Lee's avatar
      Pass userId through to singleton ContentProviders · 019a7eab
      Robin Lee authored
      System content providers like SettingsProvider run as singleUser but
      on receipt of a call make decisions based on the calling user ID.
      This is right up until the caller is a system service or a cross-user-
      -aware app like Settings, where putStringForUser etc. provide a
      workaround for most settings but not for the few files SettingsProvider
      Change-Id: I90060c9c13e274edd71f8a16ab3a026a58b98e3e
  15. 04 Dec, 2018 1 commit
    • Wayne Lin's avatar
      Changing SUPL_ES=1 for SUPL end point control · b3f380d3
      Wayne Lin authored
      SUPL_ES=1 ensures the GnssLocationProvider and related framework code
      accepts incoming SMS SUPL_INIT messages with ES-bit=1
      (which allow redirection of the ESLP
      end-point e.g. to the current local emergency services provider when
      you are travelling) only during an emergency call
      Bug: 115331218
      Bug: 112159033
      Test: Build pass
      Change-Id: I5075f7887a184ce18bb1815b35a2ce7acd8bca10
      (cherry picked from commit 02f38c72)
  16. 30 Nov, 2018 1 commit
  17. 24 Nov, 2018 1 commit
  18. 19 Nov, 2018 1 commit
  19. 13 Nov, 2018 1 commit
  20. 12 Nov, 2018 2 commits
    • Michael Wachenschwanz's avatar
      Verify number of Map entries written to Parcel · 3cab1737
      Michael Wachenschwanz authored
      Make sure the number of entries written by Parcel#writeMapInternal
      matches the size written. If a mismatch were allowed, an exploitable
      scenario could occur where the data read from the Parcel would not
      match the data written.
      Fixes: 112859604
      Test: cts-tradefed run cts -m CtsOsTestCases -t android.os.cts.ParcelTest
      Change-Id: I325d08a8b66b6e80fe76501359c41b6656848607
      Merged-In: I325d08a8b66b6e80fe76501359c41b6656848607
      (cherry picked from commit 057a01d1)
    • vince-bourgmayer's avatar
  21. 06 Nov, 2018 1 commit
    • Wale Ogunwale's avatar
      RESTRICT AUTOMERGE: Hide overlay windows when requesting media projection permission. · 5b9f020c
      Wale Ogunwale authored
      1: Cherry-pick ag/4067454 - Setting PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS
      updateNonSystemOverlayWindowsVisibilityIfNeeded on relayoutWindow
      2: Cherry-pick ag/3650369 - If PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS changed on
      relayoutWindow() then updateNonSystemOverlayWindowsVisibilityIfNeeded
      3: Add permissions to SystemUI to allow it to hide non-system overlays
      Bug: 34170870
      Test: manual (see bug for poc)
      Change-Id: I57cb0f390d9a78e721c5ddce49a377d385002753
      (cherry picked from commit 40f7b583)
  22. 31 Oct, 2018 1 commit
  23. 30 Oct, 2018 7 commits
    • Seigo Nonaka's avatar
      Fix crash during cursor moving on BiDi text · 04a3be40
      Seigo Nonaka authored
      The crash was introduced by Ib66ef392c19c937718e7101f6d48fac3abe51ad0
      The root cause of the crashing is requesting out-of-line access for the
      horizontal width. This invalid access is silently ignored by
      TextLine#measure() method but new implementation end up with out of
      bounds access.
      To makes behavior as old implementation, calling getHorizontal instead
      of accessing measured result array.
      Bug: 78464361, 111580019
      Test: Manually done
      Change-Id: I5c5778718f6b397adbb1e4f2cf95e9f635f6e5c8
      (cherry picked from commit 960647d582911ae7ab8b9491097898e6c313aaf1)
      Merged-In: I5c5778718f6b397adbb1e4f2cf95e9f635f6e5c8
      (cherry picked from commit a1076fda)
    • Jeff Sharkey's avatar
      DO NOT MERGE. Persistable Uri grants still require permissions. · 31824b99
      Jeff Sharkey authored
      When FLAG_GRANT_PERSISTABLE_URI_PERMISSION is requested, we still
      need to check permissions between the source and target packages,
      instead of shortcutting past them.
      The spirit of the original change is remains intact: if the caller
      requested FLAG_GRANT_PERSISTABLE_URI_PERMISSION, then we avoid
      returning "-1", which would prevent the grant data structure from
      being allocated.
      Bug: 111934948
      Test: atest android.appsecurity.cts.AppSecurityTests
      Change-Id: Ief0fc922aa09fc3d9bb6a126c2ff5855347cd030
      Merged-In: Ief0fc922aa09fc3d9bb6a126c2ff5855347cd030
      (cherry picked from commit d6a6e712)
    • Jeff Sharkey's avatar
      Always create grant structures when persistable. · bd7f6a82
      Jeff Sharkey authored
      Certain apps may already hold permissions to an underlying provider,
      but they expect APIs like takePersistableUriPermission() and
      getPersistedUriPermissions() to work when a permission grant was
      Test: builds, boots
      Bug: 31239684
      Change-Id: I4b21c57956b70133ecadb50d0d3ee339f41e2260
    • Mihai Popa's avatar
      Optimise the hit test algorithm · bf76beec
      Mihai Popa authored
      Layout#getOffsetForHorizontal was running in O(n^2) time, where n is the
      length of the current line. The method is used when a touch event
      happens on a text line, to compute the cursor offset (and the character)
      where it happened. Although this is not an issue in common usecases,
      where the number of characters on a line is relatively small, this can
      be very inefficient as a consequence of Unicode containing 0-width
      (invisible) characters. Specifically, there are characters defining the
      text direction (LTR or RTL), which cause our algorithm to touch the
      worst case quadratic runtime. For example, a person is able to send a
      message containing a few visible characters, and also a lot of these
      direction changing invisible ones. When the receiver touches the message
      (causing the Layout#getOffsetForHorizontal method to be called), the
      receiver's application would become not responsive.
      This CL optimizes the method to run in O(n) worst case. This is achieved
      by computing the measurements of all line prefixes at first, which can
      be done in a single pass. Then, all the prefix measurement queries will
      be answered in O(1), rather than O(n) as it was happening before.
      Bug: 79215201
      Test: manual testing
      Change-Id: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
      Merged-In: Ib66ef392c19c937718e7101f6d48fac3abe51ad0
    • Ben Lin's avatar
      Add support for search in DownloadManager. · 9f63f94c
      Ben Lin authored
      Bug: 26524617
      Change-Id: I41c0f92381bec8ad06db73b25ec67466f368b55c
    • Jeff Sharkey's avatar
      DO NOT MERGE. Extend SQLiteQueryBuilder for update and delete. · c8304458
      Jeff Sharkey authored
      Developers often accept selection clauses from untrusted code, and
      SQLiteQueryBuilder already supports a "strict" mode to help catch
      SQL injection attacks.  This change extends the builder to support
      update() and delete() calls, so that we can help secure those
      selection clauses too.
      Bug: 111085900
      Test: atest packages/providers/DownloadProvider/tests/
      Test: atest cts/tests/app/src/android/app/cts/
      Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/
      Change-Id: Ib4fc8400f184755ee7e971ab5f2095186341730c
      Merged-In: Ib4fc8400f184755ee7e971ab5f2095186341730c
      (cherry picked from commit 50699426)
    • Jeff Sharkey's avatar
      DO NOT MERGE. Execute "strict" queries with extra parentheses. · 2671e7cf
      Jeff Sharkey authored
      SQLiteQueryBuilder has a setStrict() mode which can be used to
      detect SQL attacks from untrusted sources, which it does by running
      each query twice: once with an extra set of parentheses, and if that
      succeeds, it runs the original query verbatim.
      This sadly doesn't catch inputs of the type "1=1) OR (1=1", which
      creates valid statements for both tests above, but the final executed
      query ends up leaking data due to SQLite operator precedence.
      Instead, we need to continue compiling both variants, but we need
      to execute the query with the additional parentheses to ensure
      data won't be leaked.
      Test: atest cts/tests/tests/database/src/android/database/sqlite/cts/
      Bug: 111085900
      Change-Id: I6e8746fa48f9de13adae37d2990de11c9c585381
      Merged-In: I6e8746fa48f9de13adae37d2990de11c9c585381
      (cherry picked from commit 57b04a86)
  24. 23 Oct, 2018 1 commit
  25. 14 Oct, 2018 1 commit
  26. 24 Sep, 2018 1 commit
  27. 23 Sep, 2018 2 commits
    • Makoto Onuki's avatar
      Backport Prevent shortcut info package name spoofing · 0d0bcfe9
      Makoto Onuki authored
      Test: cts-tradefed run cts -m CtsShortcutManagerTestCases -t
      Bug: 109824443
      Change-Id: I90443973aaef157d357b98b739572866125b2bbc
      Merged-In: I78948446a63b428ae750464194558fd44a658493
      (cherry picked from commit 9e21579a)
    • Robert Shih's avatar
      Fix TrackInfo parcel write · ba67df1a
      Robert Shih authored
      Bug: 77600398
      Change-Id: Ia316f1c5dc4879f6851fdb78fe8b9039579be7bc
      (cherry picked from commit 0d2dc943)
  28. 06 Sep, 2018 1 commit