am d7044fe1: am b2e54c1b: am 75e7fbaa: am 37906e6e: am 44f6d0d5: am 4c5b16d7: am 66aa87ae: am 90743d64: am bfb7ffeb: Externally Reported Moderate Security Issue: SQL Injection in WAPPushManager
* commit 'd7044fe1f12b48cc7ba6803772ec4a2f2fe14c19': Externally Reported Moderate Security Issue: SQL Injection in WAPPushManager
This commit is contained in:
Tom Taylor
@@ -117,14 +117,18 @@ public class WapPushManager extends Service {
|
||||
*/
|
||||
protected queryData queryLastApp(SQLiteDatabase db,
|
||||
String app_id, String content_type) {
|
||||
String sql = "select install_order, package_name, class_name, "
|
||||
+ " app_type, need_signature, further_processing"
|
||||
+ " from " + APPID_TABLE_NAME
|
||||
+ " where x_wap_application=\'" + app_id + "\'"
|
||||
+ " and content_type=\'" + content_type + "\'"
|
||||
+ " order by install_order desc";
|
||||
if (DEBUG_SQL) Log.v(LOG_TAG, "sql: " + sql);
|
||||
Cursor cur = db.rawQuery(sql, null);
|
||||
if (LOCAL_LOGV) Log.v(LOG_TAG, "queryLastApp app_id: " + app_id
|
||||
+ " content_type: " + content_type);
|
||||
|
||||
Cursor cur = db.query(APPID_TABLE_NAME,
|
||||
new String[] {"install_order", "package_name", "class_name",
|
||||
"app_type", "need_signature", "further_processing"},
|
||||
"x_wap_application=? and content_type=?",
|
||||
new String[] {app_id, content_type},
|
||||
null /* groupBy */,
|
||||
null /* having */,
|
||||
"install_order desc" /* orderBy */);
|
||||
|
||||
queryData ret = null;
|
||||
|
||||
if (cur.moveToNext()) {
|
||||
@@ -392,10 +396,20 @@ public class WapPushManager extends Service {
|
||||
SQLiteDatabase db = dbh.getReadableDatabase();
|
||||
WapPushManDBHelper.queryData lastapp = dbh.queryLastApp(db, x_app_id, content_type);
|
||||
|
||||
if (LOCAL_LOGV) Log.v(LOG_TAG, "verifyData app id: " + x_app_id + " content type: " +
|
||||
content_type + " lastapp: " + lastapp);
|
||||
|
||||
db.close();
|
||||
|
||||
if (lastapp == null) return false;
|
||||
|
||||
if (LOCAL_LOGV) Log.v(LOG_TAG, "verifyData lastapp.packageName: " + lastapp.packageName +
|
||||
" lastapp.className: " + lastapp.className +
|
||||
" lastapp.appType: " + lastapp.appType +
|
||||
" lastapp.needSignature: " + lastapp.needSignature +
|
||||
" lastapp.furtherProcessing: " + lastapp.furtherProcessing);
|
||||
|
||||
|
||||
if (lastapp.packageName.equals(package_name)
|
||||
&& lastapp.className.equals(class_name)
|
||||
&& lastapp.appType == app_type
|
||||
|
||||
@@ -551,6 +551,25 @@ public class WapPushTest extends ServiceTestCase<WapPushManager> {
|
||||
mContentTypeValue = originalContentTypeValue;
|
||||
}
|
||||
|
||||
/**
|
||||
* Add sqlite injection test
|
||||
*/
|
||||
public void testAddPackage0() {
|
||||
String inject = "' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--";
|
||||
|
||||
// insert new data
|
||||
IWapPushManager iwapman = getInterface();
|
||||
try {
|
||||
assertFalse(iwapman.addPackage(
|
||||
inject,
|
||||
Integer.toString(mContentTypeValue),
|
||||
mPackageName, mClassName,
|
||||
WapPushManagerParams.APP_TYPE_SERVICE, true, true));
|
||||
} catch (RemoteException e) {
|
||||
assertTrue(false);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Add duprecated package test.
|
||||
*/
|
||||
@@ -1477,7 +1496,7 @@ public class WapPushTest extends ServiceTestCase<WapPushManager> {
|
||||
System.arraycopy(mWspHeader, 0, array,
|
||||
mGsmHeader.length + mUserDataHeader.length, mWspHeader.length);
|
||||
System.arraycopy(mMessageBody, 0, array,
|
||||
mGsmHeader.length + mUserDataHeader.length + mWspHeader.length,
|
||||
mGsmHeader.length + mUserDataHeader.length + mWspHeader.length,
|
||||
mMessageBody.length);
|
||||
return array;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user