Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / packages / providers / MediaProvider / edb6e9144ad4db5a8752a38a1a0d97ca484dda07^! / .
commitedb6e9144ad4db5a8752a38a1a0d97ca484dda07[log] [tgz]
authorSahana Rao <sahanas@google.com>Tue Apr 28 19:18:48 2020 +0100
committerSahana Rao <sahanas@google.com>Tue Apr 28 20:20:06 2020 +0100
treef114266a52493b327ad0ceaefc33c1f5e44e76b9
parent70e7eae2da6684b884a6d88cd72057c8dc8cba6a [diff]
Append GET_ID custom function using bindSelection

GET_ID custom function accepts FileColumns.DATA as input. Previously,
this value was passed as raw string. FileColumns.DATA is obtained from
user input and might result in sql injection.

Changed buildInsert and buildUpdate to append GET_ID custom function
to sql statement using DatabaseUtils.bindSelection

Test: atest packages/providers/MediaProvider
Bug: 154189383
Change-Id: I7279c489e971d96d17a7538388373fb60621daa6

diff --git a/src/com/android/providers/media/util/SQLiteQueryBuilder.java b/src/com/android/providers/media/util/SQLiteQueryBuilder.java
index e3e0e71..44c3a53 100644
--- a/src/com/android/providers/media/util/SQLiteQueryBuilder.java
+++ b/src/com/android/providers/media/util/SQLiteQueryBuilder.java

@@ -22,6 +22,7 @@
 import static android.content.ContentResolver.QUERY_ARG_SQL_SELECTION;
 import static android.content.ContentResolver.QUERY_ARG_SQL_SELECTION_ARGS;
 import static android.content.ContentResolver.QUERY_ARG_SQL_SORT_ORDER;
+import static com.android.providers.media.util.DatabaseUtils.bindSelection;
 
 import android.annotation.NonNull;
 import android.annotation.Nullable;
@@ -78,13 +79,13 @@
      * Raw SQL clause to obtain the value of {@link MediaColumns#_ID} from custom database function
      * {@code _GET_ID} for INSERT operation.
      */
-    private static final String GET_ID_FOR_INSERT_CLAUSE = "_GET_ID('%s')";
+    private static final String GET_ID_FOR_INSERT_CLAUSE = "_GET_ID(?)";
 
     /**
      * Raw SQL clause to obtain the value of {@link MediaColumns#_ID} from custom database function
      * {@code _GET_ID} for UPDATE operation.
      */
-    private static final String GET_ID_FOR_UPDATE_CLAUSE = "ifnull(_GET_ID('%s'), _id)";
+    private static final String GET_ID_FOR_UPDATE_CLAUSE = "ifnull(_GET_ID(?), _id)";
 
     public SQLiteQueryBuilder() {
         mDistinct = false;
@@ -876,7 +877,8 @@
         }
         if (shouldAppendRowId(values)) {
             sql.append(',');
-            sql.append(String.format(GET_ID_FOR_INSERT_CLAUSE, values.get(MediaColumns.DATA)));
+            sql.append(bindSelection(GET_ID_FOR_INSERT_CLAUSE,
+                    values.getAsString(MediaColumns.DATA)));
         }
         sql.append(")");
         return sql.toString();
@@ -920,7 +922,8 @@
             sql.append(',');
             sql.append(MediaColumns._ID);
             sql.append('=');
-            sql.append(String.format(GET_ID_FOR_UPDATE_CLAUSE, values.get(MediaColumns.DATA)));
+            sql.append(bindSelection(GET_ID_FOR_UPDATE_CLAUSE,
+                    values.getAsString(MediaColumns.DATA)));
         }
 
         final String where = computeWhere(selection);