Issue #1353 » 0001-Externally-Reported-Moderate-Security-Issue-SQL-Inje.patch
| packages/WAPPushManager/src/com/android/smspush/WapPushManager.java | ||
|---|---|---|
| 117 | 117 |
*/ |
| 118 | 118 |
protected queryData queryLastApp(SQLiteDatabase db, |
| 119 | 119 |
String app_id, String content_type) {
|
| 120 |
String sql = "select install_order, package_name, class_name, " |
|
| 121 |
+ " app_type, need_signature, further_processing" |
|
| 122 |
+ " from " + APPID_TABLE_NAME |
|
| 123 |
+ " where x_wap_application=\'" + app_id + "\'" |
|
| 124 |
+ " and content_type=\'" + content_type + "\'" |
|
| 125 |
+ " order by install_order desc"; |
|
| 126 |
if (DEBUG_SQL) Log.v(LOG_TAG, "sql: " + sql); |
|
| 127 |
Cursor cur = db.rawQuery(sql, null); |
|
| 120 |
if (LOCAL_LOGV) Log.v(LOG_TAG, "queryLastApp app_id: " + app_id |
|
| 121 |
+ " content_type: " + content_type); |
|
| 122 | ||
| 123 |
Cursor cur = db.query(APPID_TABLE_NAME, |
|
| 124 |
new String[] {"install_order", "package_name", "class_name",
|
|
| 125 |
"app_type", "need_signature", "further_processing"}, |
|
| 126 |
"x_wap_application=? and content_type=?", |
|
| 127 |
new String[] {app_id, content_type},
|
|
| 128 |
null /* groupBy */, |
|
| 129 |
null /* having */, |
|
| 130 |
"install_order desc" /* orderBy */); |
|
| 131 | ||
| 128 | 132 |
queryData ret = null; |
| 129 | 133 | |
| 130 | 134 |
if (cur.moveToNext()) {
|
| ... | ... | |
| 392 | 396 |
SQLiteDatabase db = dbh.getReadableDatabase(); |
| 393 | 397 |
WapPushManDBHelper.queryData lastapp = dbh.queryLastApp(db, x_app_id, content_type); |
| 394 | 398 | |
| 399 |
if (LOCAL_LOGV) Log.v(LOG_TAG, "verifyData app id: " + x_app_id + " content type: " + |
|
| 400 |
content_type + " lastapp: " + lastapp); |
|
| 401 | ||
| 395 | 402 |
db.close(); |
| 396 | 403 | |
| 397 | 404 |
if (lastapp == null) return false; |
| 398 | 405 | |
| 406 |
if (LOCAL_LOGV) Log.v(LOG_TAG, "verifyData lastapp.packageName: " + lastapp.packageName + |
|
| 407 |
" lastapp.className: " + lastapp.className + |
|
| 408 |
" lastapp.appType: " + lastapp.appType + |
|
| 409 |
" lastapp.needSignature: " + lastapp.needSignature + |
|
| 410 |
" lastapp.furtherProcessing: " + lastapp.furtherProcessing); |
|
| 411 | ||
| 412 | ||
| 399 | 413 |
if (lastapp.packageName.equals(package_name) |
| 400 | 414 |
&& lastapp.className.equals(class_name) |
| 401 | 415 |
&& lastapp.appType == app_type |
| packages/WAPPushManager/tests/src/com/android/smspush/unitTests/WapPushTest.java | ||
|---|---|---|
| 552 | 552 |
} |
| 553 | 553 | |
| 554 | 554 |
/** |
| 555 |
* Add sqlite injection test |
|
| 556 |
*/ |
|
| 557 |
public void testAddPackage0() {
|
|
| 558 |
String inject = "' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--"; |
|
| 559 | ||
| 560 |
// insert new data |
|
| 561 |
IWapPushManager iwapman = getInterface(); |
|
| 562 |
try {
|
|
| 563 |
assertFalse(iwapman.addPackage( |
|
| 564 |
inject, |
|
| 565 |
Integer.toString(mContentTypeValue), |
|
| 566 |
mPackageName, mClassName, |
|
| 567 |
WapPushManagerParams.APP_TYPE_SERVICE, true, true)); |
|
| 568 |
} catch (RemoteException e) {
|
|
| 569 |
assertTrue(false); |
|
| 570 |
} |
|
| 571 |
} |
|
| 572 | ||
| 573 |
/** |
|
| 555 | 574 |
* Add duprecated package test. |
| 556 | 575 |
*/ |
| 557 | 576 |
public void testAddPackage2() {
|
| ... | ... | |
| 1477 | 1496 |
System.arraycopy(mWspHeader, 0, array, |
| 1478 | 1497 |
mGsmHeader.length + mUserDataHeader.length, mWspHeader.length); |
| 1479 | 1498 |
System.arraycopy(mMessageBody, 0, array, |
| 1480 |
mGsmHeader.length + mUserDataHeader.length + mWspHeader.length,
|
|
| 1499 |
mGsmHeader.length + mUserDataHeader.length + mWspHeader.length, |
|
| 1481 | 1500 |
mMessageBody.length); |
| 1482 | 1501 |
return array; |
| 1483 | 1502 | |