summaryrefslogtreecommitdiff
path: root/docs/html/sdk/api_diff/24/changes
diff options
context:
space:
mode:
authorJeff Sharkey <jsharkey@android.com>2019-07-16 16:50:42 -0600
committerJeff Sharkey <jsharkey@google.com>2019-09-12 19:59:17 +0000
commit216bbc2a2e4f697d88f8fd633646e3c0433246f1 (patch)
tree26d321bc3dc4b2fb9b2effe71cab8e7ef49ed1d2 /docs/html/sdk/api_diff/24/changes
parent382d5c0c199f3743514e024d2fd921248f7b14b3 (diff)
RESTRICT AUTOMERGE
Strict SQLiteQueryBuilder needs to be stricter. Malicious callers can leak side-channel information by using subqueries in any untrusted inputs where SQLite allows "expr" values. This change offers setStrictGrammar() to prevent this by outright blocking subqueries in WHERE and HAVING clauses, and by requiring that GROUP BY and ORDER BY clauses be composed only of valid columns. This change also offers setStrictColumns() to require that all untrusted column names are valid, such as those in ContentValues. Relaxes to always allow aggregation operators on returned columns, since untrusted callers can always calculate these manually. Bug: 135270103 Bug: 135269143 Test: atest android.database.sqlite.cts.SQLiteQueryBuilderTest Test: atest FrameworksCoreTests:android.database.sqlite.SQLiteTokenizerTest Exempt-From-Owner-Approval: already approved in downstream branch Change-Id: I6290afd19c966a8bdca71c377c88210d921a9f25
Diffstat (limited to 'docs/html/sdk/api_diff/24/changes')
0 files changed, 0 insertions, 0 deletions