diff options
author | Chiao Cheng <chiaocheng@google.com> | 2013-07-10 17:31:04 -0700 |
---|---|---|
committer | Chiao Cheng <chiaocheng@google.com> | 2013-07-10 17:31:04 -0700 |
commit | eef11a95dc667923954fceb5e598011c04b19d1d (patch) | |
tree | 1a3d9f95614b2180d792f97e15720fb662230623 | |
parent | 629f595e1e2324f7403465d96c4637375cc0c888 (diff) | |
download | ContactsProvider-eef11a95dc667923954fceb5e598011c04b19d1d.tar.gz |
Do not allow updates to the _data column.
Fixes a security hole where applications can update the data location of
voicemail files to point to arbitrary file paths.
Voicemail provider stores the location of the data file in the _data column.
Applications can update this with an arbitrary file path as long as they
have the ADD_VOICEMAIL permission. Then they can subsequently read that
voicemail and obtain access to the file. This location is generated by the
provider and does not need to be updated by the applications.
Bug: 9674953
Change-Id: I81be82e7aa828231ea7d282ec5855c29cd4fb4f6
-rw-r--r-- | src/com/android/providers/contacts/VoicemailContentTable.java | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/com/android/providers/contacts/VoicemailContentTable.java b/src/com/android/providers/contacts/VoicemailContentTable.java index 3f00b262..2047e12c 100644 --- a/src/com/android/providers/contacts/VoicemailContentTable.java +++ b/src/com/android/providers/contacts/VoicemailContentTable.java @@ -31,6 +31,7 @@ import android.net.Uri; import android.os.ParcelFileDescriptor; import android.provider.CallLog.Calls; import android.provider.OpenableColumns; +import android.provider.VoicemailContract; import android.provider.VoicemailContract.Voicemails; import android.util.Log; @@ -213,6 +214,7 @@ public class VoicemailContentTable implements VoicemailTable.Delegate { String[] selectionArgs) { checkForSupportedColumns(mVoicemailProjectionMap, values); checkUpdateSupported(uriData); + checkForUnsupportedColumnUpdates(values); final SQLiteDatabase db = mDbHelper.getWritableDatabase(); // TODO: This implementation does not allow bulk update because it only accepts // URI that include message Id. I think we do want to support bulk update. @@ -222,6 +224,15 @@ public class VoicemailContentTable implements VoicemailTable.Delegate { selectionArgs); } + private void checkForUnsupportedColumnUpdates(ContentValues values) { + // Data column points to the voicemail audio file and is generated by the provider. + // Do not let applications update it. + if (values.containsKey(Voicemails._DATA)) { + throw new IllegalArgumentException("Updates to " + Voicemails._DATA + + " column are not allowed."); + } + } + private void checkUpdateSupported(UriData uriData) { if (!uriData.hasId()) { throw new UnsupportedOperationException(String.format( |