From 34637e57fc5bce01029806a67cf0cc2ef049e13b Mon Sep 17 00:00:00 2001
From: Christopher Tate <ctate@google.com>
Date: Thu, 4 Oct 2012 15:00:00 -0700
Subject: [PATCH] Make sure to check write perms after rewriting destination
 table

The write-permission check must occur after any destination-table
rewriting, otherwise any application would be able to write to
any global setting, by supplying a fraudulent "system" namespace
in the uri, but with a key name that will be redirected to global.

Bug 7289965

Change-Id: I122098a64e40d14e00d3cb6608c50aeb74faf7ce
---
 .../src/com/android/providers/settings/SettingsProvider.java  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
index 1701f6e69e36a..76a5022379897 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -849,7 +849,6 @@ public class SettingsProvider extends ContentProvider {
         if (TABLE_FAVORITES.equals(args.table)) {
             return null;
         }
-        checkWritePermissions(args);
 
         // Special case LOCATION_PROVIDERS_ALLOWED.
         // Support enabling/disabling a single provider (using "+" or "-" prefix)
@@ -869,6 +868,9 @@ public class SettingsProvider extends ContentProvider {
             }
         }
 
+        // Check write permissions only after determining which table the insert will touch
+        checkWritePermissions(args);
+
         // The global table is stored under the owner, always
         if (TABLE_GLOBAL.equals(args.table)) {
             desiredUserHandle = UserHandle.USER_OWNER;