Do not allow updates to the _data column.android-cts-4.1_r4 jb-dev

Fixes a security hole where applications can update the data location of voicemail files to point to arbitrary file paths. Voicemail provider stores the location of the data file in the _data column. Applications can update this with an arbitrary file path as long as they have the ADD_VOICEMAIL permission. Then they can subsequently read that voicemail and obtain access to the file. This location is generated by the provider and does not need to be updated by the applications. Bug: 9674953 (cherry picked from commit ab2a24c126f35ae4aefb469f91094e5972abd8f0) Change-Id: I6c795fe8e283f60f71ebc0e53606383c9fd22e71
author: Chiao Cheng <chiaocheng@google.com> 2013-07-10 17:31:04 -0700
committer: Chiao Cheng <chiaocheng@google.com> 2013-07-12 15:52:46 -0700
commit: 284f71646d1953f2d78b53e2cdb42cb93e1d9d6f (patch)
tree: 4fe22125596449ed1238969d964df191b11735e5
parent: ff91ec356f1b17dea095a880f61b8bc4ff333b1e (diff)
download: ContactsProvider-jb-dev.tar.gz
2 files changed, 33 insertions, 3 deletions
diff --git a/src/com/android/providers/contacts/VoicemailContentTable.java b/src/com/android/providers/contacts/VoicemailContentTable.java
index 3b72653a..5cfbca79 100644
--- a/src/com/android/providers/contacts/VoicemailContentTable.java
+++ b/src/com/android/providers/contacts/VoicemailContentTable.java
@@ -38,6 +38,8 @@ import android.provider.OpenableColumns;
 import android.provider.VoicemailContract.Voicemails;
 import android.util.Log;
 
+import com.google.common.collect.ImmutableSet;
+
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
@@ -54,6 +56,21 @@ public class VoicemailContentTable implements VoicemailTable.Delegate {
 
     private static final String[] FILENAME_ONLY_PROJECTION = new String[] { Voicemails._DATA };
 
+    private static final ImmutableSet<String> ALLOWED_COLUMNS = new ImmutableSet.Builder<String>()
+            .add(Voicemails._ID)
+            .add(Voicemails.NUMBER)
+            .add(Voicemails.DATE)
+            .add(Voicemails.DURATION)
+            .add(Voicemails.IS_READ)
+            .add(Voicemails.STATE)
+            .add(Voicemails.SOURCE_DATA)
+            .add(Voicemails.SOURCE_PACKAGE)
+            .add(Voicemails.HAS_CONTENT)
+            .add(Voicemails.MIME_TYPE)
+            .add(OpenableColumns.DISPLAY_NAME)
+            .add(OpenableColumns.SIZE)
+            .build();
+
     private final String mTableName;
     private final SQLiteOpenHelper mDbHelper;
     private final Context mContext;
@@ -211,8 +228,10 @@ public class VoicemailContentTable implements VoicemailTable.Delegate {
     @Override
     public int update(UriData uriData, ContentValues values, String selection,
             String[] selectionArgs) {
-        checkForSupportedColumns(mVoicemailProjectionMap, values);
+
+        checkForSupportedColumns(ALLOWED_COLUMNS, values, "Updates are not allowed.");
         checkUpdateSupported(uriData);
+
         final SQLiteDatabase db = mDbHelper.getWritableDatabase();
         // TODO: This implementation does not allow bulk update because it only accepts
         // URI that include message Id. I think we do want to support bulk update.
diff --git a/src/com/android/providers/contacts/util/DbQueryUtils.java b/src/com/android/providers/contacts/util/DbQueryUtils.java
index c853a961..2b976a1a 100644
--- a/src/com/android/providers/contacts/util/DbQueryUtils.java
+++ b/src/com/android/providers/contacts/util/DbQueryUtils.java
@@ -20,6 +20,7 @@ import android.database.DatabaseUtils;
 import android.text.TextUtils;
 
 import java.util.HashMap;
+import java.util.Set;
 
 /**
  * Static methods for helping us build database query selection strings.
@@ -83,14 +84,24 @@ public class DbQueryUtils {
     /**
      * Checks if the given ContentValues contains values within the projection
      * map.
+     *
      * @throws IllegalArgumentException if any value in values is not found in
      * the projection map.
      */
     public static void checkForSupportedColumns(HashMap<String, String> projectionMap,
             ContentValues values) {
+        checkForSupportedColumns(projectionMap.keySet(), values, "Is invalid.");
+    }
+
+    /**
+     * @see #checkForSupportedColumns(HashMap, ContentValues)
+     */
+    public static void checkForSupportedColumns(Set<String> allowedColumns, ContentValues values,
+            String msgSuffix) {
         for (String requestedColumn : values.keySet()) {
-            if (!projectionMap.keySet().contains(requestedColumn)) {
-                throw new IllegalArgumentException("Column '" + requestedColumn + "' is invalid.");
+            if (!allowedColumns.contains(requestedColumn)) {
+                throw new IllegalArgumentException("Column '" + requestedColumn + "'. " +
+                        msgSuffix);
             }
         }
     }
author	Chiao Cheng <chiaocheng@google.com>	2013-07-10 17:31:04 -0700
committer	Chiao Cheng <chiaocheng@google.com>	2013-07-12 15:52:46 -0700
commit	284f71646d1953f2d78b53e2cdb42cb93e1d9d6f (patch)
tree	4fe22125596449ed1238969d964df191b11735e5
parent	ff91ec356f1b17dea095a880f61b8bc4ff333b1e (diff)
download	ContactsProvider-jb-dev.tar.gz