Check msg_id and thread_type value before
concatenating.
msg_id and thread_type parameters are used for sql injection in MmsSmsProvider#query.
This is solved by checking the value of msg_id and thread_type before concetenating it
to extraSelection.
Bug: 224770183, 224770203
Test: atest android.telephonyprovider.cts.SmsTest,
atest CtsTelephonyTestCases
Sanity check - sending and receiving sms and mms manually
Change-Id: I36706a89bd4cfeefc26ee09496086a6efe3169f4
diff --git a/src/com/android/providers/telephony/MmsSmsProvider.java b/src/com/android/providers/telephony/MmsSmsProvider.java
index 76d3b8a..904e2ba 100644
--- a/src/com/android/providers/telephony/MmsSmsProvider.java
+++ b/src/com/android/providers/telephony/MmsSmsProvider.java
@@ -361,8 +361,15 @@
if ((simple != null) && simple.equals("true")) {
String threadType = uri.getQueryParameter("thread_type");
if (!TextUtils.isEmpty(threadType)) {
- selection = concatSelections(
- selection, Threads.TYPE + "=" + threadType);
+ try {
+ Integer.parseInt(threadType);
+ selection = concatSelections(
+ selection, Threads.TYPE + "=" + threadType);
+ } catch (NumberFormatException ex) {
+ Log.e(LOG_TAG, "Thread type must be int");
+ // return empty cursor
+ break;
+ }
}
cursor = getSimpleConversations(
projection, selection, selectionArgs, sortOrder);
@@ -491,9 +498,15 @@
String extraSelection = (proto != -1) ?
(PendingMessages.PROTO_TYPE + "=" + proto) : " 0=0 ";
if (!TextUtils.isEmpty(msgId)) {
- extraSelection += " AND " + PendingMessages.MSG_ID + "=" + msgId;
+ try {
+ Long.parseLong(msgId);
+ extraSelection += " AND " + PendingMessages.MSG_ID + "=" + msgId;
+ } catch(NumberFormatException ex) {
+ Log.e(LOG_TAG, "MSG ID must be a Long.");
+ // return empty cursor
+ break;
+ }
}
-
String finalSelection = TextUtils.isEmpty(selection)
? extraSelection : ("(" + extraSelection + ") AND " + selection);
String finalOrder = TextUtils.isEmpty(sortOrder)
