Allow 3rd-party apps to supply sort order.

Previously, we blocked sort order to make TvProvider secure, but this
limited developers to access EPG data in an efficient way. This change
allows the sort order with validation on the input param.

Bug: 19357901
Change-Id: I8a2f601f1a736d53a11cd4b973d90e41d827d9ee

1 files changed, 29 insertions, 6 deletions

diff --git a/src/com/android/providers/tv/TvProvider.java b/src/com/android/providers/tv/TvProvider.java
index 3f928d9..88d9de2 100644
--- a/src/com/android/providers/tv/TvProvider.java
+++ b/src/com/android/providers/tv/TvProvider.java
@@ -487,22 +487,26 @@ public class TvProvider extends ContentProvider {
     @Override
     public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs,
             String sortOrder) {
-        if (needsToLimitPackage(uri) && !TextUtils.isEmpty(sortOrder)) {
-            throw new SecurityException("Sort order not allowed for " + uri);
-        }
+        boolean needsToValidateSortOrder = needsToLimitPackage(uri);
         SqlParams params = createSqlParams(OP_QUERY, uri, selection, selectionArgs);
 
         SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder();
+        queryBuilder.setStrict(needsToValidateSortOrder);
         queryBuilder.setTables(params.getTables());
         String orderBy = null;
+        Map<String, String> projectionMap;
         if (params.getTables().equals(PROGRAMS_TABLE)) {
-            queryBuilder.setProjectionMap(sProgramProjectionMap);
+            projectionMap = sProgramProjectionMap;
             orderBy = DEFAULT_PROGRAMS_SORT_ORDER;
         } else if (params.getTables().equals(WATCHED_PROGRAMS_TABLE)) {
-            queryBuilder.setProjectionMap(sWatchedProgramProjectionMap);
+            projectionMap = sWatchedProgramProjectionMap;
             orderBy = DEFAULT_WATCHED_PROGRAMS_SORT_ORDER;
         } else {
-            queryBuilder.setProjectionMap(sChannelProjectionMap);
+            projectionMap = sChannelProjectionMap;
+        }
+        queryBuilder.setProjectionMap(projectionMap);
+        if (needsToValidateSortOrder) {
+            validateSortOrder(sortOrder, projectionMap.keySet());
         }
 
         // Use the default sort order only if no sort order is specified.
@@ -933,6 +937,25 @@ public class TvProvider extends ContentProvider {
         }
     }
 
+    /**
+     * Validates the sort order based on the given field set.
+     *
+     * @throws IllegalArgumentException if there is any unknown field.
+     */
+    private static void validateSortOrder(String sortOrder, Set<String> possibleFields) {
+        if (TextUtils.isEmpty(sortOrder) || possibleFields.isEmpty()) {
+            return;
+        }
+        String[] orders = sortOrder.split(",");
+        for (String order : orders) {
+            String field = order.replaceAll("\\s+", " ").trim().toLowerCase().replace(" asc", "")
+                    .replace(" desc", "");
+            if (!possibleFields.contains(field)) {
+                throw new IllegalArgumentException("Illegal field in sort order " + order);
+            }
+        }
+    }
+
     private class PipeMonitor extends AsyncTask<Void, Void, Void> {
         private final ParcelFileDescriptor mPfd;
         private final long mChannelId;