Issue #1353 » 0001-Externally-Reported-Moderate-Security-Issue-SQL-Inje.patch
packages/WAPPushManager/src/com/android/smspush/WapPushManager.java | ||
---|---|---|
117 | 117 |
*/ |
118 | 118 |
protected queryData queryLastApp(SQLiteDatabase db, |
119 | 119 |
String app_id, String content_type) { |
120 |
String sql = "select install_order, package_name, class_name, " |
|
121 |
+ " app_type, need_signature, further_processing" |
|
122 |
+ " from " + APPID_TABLE_NAME |
|
123 |
+ " where x_wap_application=\'" + app_id + "\'" |
|
124 |
+ " and content_type=\'" + content_type + "\'" |
|
125 |
+ " order by install_order desc"; |
|
126 |
if (DEBUG_SQL) Log.v(LOG_TAG, "sql: " + sql); |
|
127 |
Cursor cur = db.rawQuery(sql, null); |
|
120 |
if (LOCAL_LOGV) Log.v(LOG_TAG, "queryLastApp app_id: " + app_id |
|
121 |
+ " content_type: " + content_type); |
|
122 | ||
123 |
Cursor cur = db.query(APPID_TABLE_NAME, |
|
124 |
new String[] {"install_order", "package_name", "class_name", |
|
125 |
"app_type", "need_signature", "further_processing"}, |
|
126 |
"x_wap_application=? and content_type=?", |
|
127 |
new String[] {app_id, content_type}, |
|
128 |
null /* groupBy */, |
|
129 |
null /* having */, |
|
130 |
"install_order desc" /* orderBy */); |
|
131 | ||
128 | 132 |
queryData ret = null; |
129 | 133 | |
130 | 134 |
if (cur.moveToNext()) { |
... | ... | |
392 | 396 |
SQLiteDatabase db = dbh.getReadableDatabase(); |
393 | 397 |
WapPushManDBHelper.queryData lastapp = dbh.queryLastApp(db, x_app_id, content_type); |
394 | 398 | |
399 |
if (LOCAL_LOGV) Log.v(LOG_TAG, "verifyData app id: " + x_app_id + " content type: " + |
|
400 |
content_type + " lastapp: " + lastapp); |
|
401 | ||
395 | 402 |
db.close(); |
396 | 403 | |
397 | 404 |
if (lastapp == null) return false; |
398 | 405 | |
406 |
if (LOCAL_LOGV) Log.v(LOG_TAG, "verifyData lastapp.packageName: " + lastapp.packageName + |
|
407 |
" lastapp.className: " + lastapp.className + |
|
408 |
" lastapp.appType: " + lastapp.appType + |
|
409 |
" lastapp.needSignature: " + lastapp.needSignature + |
|
410 |
" lastapp.furtherProcessing: " + lastapp.furtherProcessing); |
|
411 | ||
412 | ||
399 | 413 |
if (lastapp.packageName.equals(package_name) |
400 | 414 |
&& lastapp.className.equals(class_name) |
401 | 415 |
&& lastapp.appType == app_type |
packages/WAPPushManager/tests/src/com/android/smspush/unitTests/WapPushTest.java | ||
---|---|---|
552 | 552 |
} |
553 | 553 | |
554 | 554 |
/** |
555 |
* Add sqlite injection test |
|
556 |
*/ |
|
557 |
public void testAddPackage0() { |
|
558 |
String inject = "' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--"; |
|
559 | ||
560 |
// insert new data |
|
561 |
IWapPushManager iwapman = getInterface(); |
|
562 |
try { |
|
563 |
assertFalse(iwapman.addPackage( |
|
564 |
inject, |
|
565 |
Integer.toString(mContentTypeValue), |
|
566 |
mPackageName, mClassName, |
|
567 |
WapPushManagerParams.APP_TYPE_SERVICE, true, true)); |
|
568 |
} catch (RemoteException e) { |
|
569 |
assertTrue(false); |
|
570 |
} |
|
571 |
} |
|
572 | ||
573 |
/** |
|
555 | 574 |
* Add duprecated package test. |
556 | 575 |
*/ |
557 | 576 |
public void testAddPackage2() { |
... | ... | |
1477 | 1496 |
System.arraycopy(mWspHeader, 0, array, |
1478 | 1497 |
mGsmHeader.length + mUserDataHeader.length, mWspHeader.length); |
1479 | 1498 |
System.arraycopy(mMessageBody, 0, array, |
1480 |
mGsmHeader.length + mUserDataHeader.length + mWspHeader.length,
|
|
1499 |
mGsmHeader.length + mUserDataHeader.length + mWspHeader.length, |
|
1481 | 1500 |
mMessageBody.length); |
1482 | 1501 |
return array; |
1483 | 1502 |