Project

General

Profile

Issue #1353 » 0001-Externally-Reported-Moderate-Security-Issue-SQL-Inje.patch

Bug 17969135 - Wolfgang Wiedmeyer, 09/28/2015 09:58 PM

View differences:

packages/WAPPushManager/src/com/android/smspush/WapPushManager.java
117 117
         */
118 118
        protected queryData queryLastApp(SQLiteDatabase db,
119 119
                String app_id, String content_type) {
120
            String sql = "select install_order, package_name, class_name, "
121
                    + " app_type, need_signature, further_processing"
122
                    + " from " + APPID_TABLE_NAME
123
                    + " where x_wap_application=\'" + app_id + "\'"
124
                    + " and content_type=\'" + content_type + "\'"
125
                    + " order by install_order desc";
126
            if (DEBUG_SQL) Log.v(LOG_TAG, "sql: " + sql);
127
            Cursor cur = db.rawQuery(sql, null);
120
            if (LOCAL_LOGV) Log.v(LOG_TAG, "queryLastApp app_id: " + app_id
121
                    + " content_type: " +  content_type);
122

  
123
            Cursor cur = db.query(APPID_TABLE_NAME,
124
                    new String[] {"install_order", "package_name", "class_name",
125
                    "app_type", "need_signature", "further_processing"},
126
                    "x_wap_application=? and content_type=?",
127
                    new String[] {app_id, content_type},
128
                    null /* groupBy */,
129
                    null /* having */,
130
                    "install_order desc" /* orderBy */);
131

  
128 132
            queryData ret = null;
129 133

  
130 134
            if (cur.moveToNext()) {
......
392 396
        SQLiteDatabase db = dbh.getReadableDatabase();
393 397
        WapPushManDBHelper.queryData lastapp = dbh.queryLastApp(db, x_app_id, content_type);
394 398

  
399
        if (LOCAL_LOGV) Log.v(LOG_TAG, "verifyData app id: " + x_app_id + " content type: " +
400
                content_type + " lastapp: " + lastapp);
401

  
395 402
        db.close();
396 403

  
397 404
        if (lastapp == null) return false;
398 405

  
406
        if (LOCAL_LOGV) Log.v(LOG_TAG, "verifyData lastapp.packageName: " + lastapp.packageName +
407
                " lastapp.className: " + lastapp.className +
408
                " lastapp.appType: " + lastapp.appType +
409
                " lastapp.needSignature: " + lastapp.needSignature +
410
                " lastapp.furtherProcessing: " + lastapp.furtherProcessing);
411

  
412

  
399 413
        if (lastapp.packageName.equals(package_name)
400 414
                && lastapp.className.equals(class_name)
401 415
                && lastapp.appType == app_type
packages/WAPPushManager/tests/src/com/android/smspush/unitTests/WapPushTest.java
552 552
    }
553 553

  
554 554
    /**
555
     * Add sqlite injection test
556
     */
557
    public void testAddPackage0() {
558
        String inject = "' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--";
559

  
560
        // insert new data
561
        IWapPushManager iwapman = getInterface();
562
        try {
563
            assertFalse(iwapman.addPackage(
564
                    inject,
565
                    Integer.toString(mContentTypeValue),
566
                    mPackageName, mClassName,
567
                    WapPushManagerParams.APP_TYPE_SERVICE, true, true));
568
        } catch (RemoteException e) {
569
            assertTrue(false);
570
        }
571
    }
572

  
573
    /**
555 574
     * Add duprecated package test.
556 575
     */
557 576
    public void testAddPackage2() {
......
1477 1496
        System.arraycopy(mWspHeader, 0, array,
1478 1497
                mGsmHeader.length + mUserDataHeader.length, mWspHeader.length);
1479 1498
        System.arraycopy(mMessageBody, 0, array,
1480
                mGsmHeader.length + mUserDataHeader.length + mWspHeader.length, 
1499
                mGsmHeader.length + mUserDataHeader.length + mWspHeader.length,
1481 1500
                mMessageBody.length);
1482 1501
        return array;
1483 1502

  
(2-2/3)