Просмотр исходного кода

Merge pull request #1820 from nextcloud/sql

Prevent sql injections
Andy Scherzinger 7 лет назад
Родитель
Сommit
bffa619b28

+ 1 - 0
src/main/AndroidManifest.xml

@@ -261,6 +261,7 @@
         <activity
             android:name=".ui.activity.ShareActivity"
             android:label="@string/share_dialog_title"
+            android:exported="false"
             android:theme="@style/Theme.ownCloud.Dialog.NoTitle"
             android:launchMode="singleTop"
             android:windowSoftInputMode="adjustResize" >

+ 7 - 2
src/main/java/com/owncloud/android/db/ProviderMeta.java

@@ -101,8 +101,13 @@ public class ProviderMeta {
         public static final String FILE_ETAG_IN_CONFLICT = "etag_in_conflict";
         public static final String FILE_FAVORITE = "favorite";
 
-        public static final String FILE_DEFAULT_SORT_ORDER = FILE_NAME
-                + " collate nocase asc";
+        public static final String[] FILE_ALL_COLUMNS = {_ID, FILE_PARENT, FILE_NAME, FILE_CREATION, FILE_MODIFIED,
+                FILE_MODIFIED_AT_LAST_SYNC_FOR_DATA, FILE_CONTENT_LENGTH, FILE_CONTENT_TYPE, FILE_STORAGE_PATH,
+                FILE_PATH, FILE_ACCOUNT_OWNER, FILE_LAST_SYNC_DATE, FILE_LAST_SYNC_DATE_FOR_DATA, FILE_KEEP_IN_SYNC,
+                FILE_ETAG, FILE_SHARED_VIA_LINK, FILE_SHARED_WITH_SHAREE, FILE_PUBLIC_LINK, FILE_PERMISSIONS,
+                FILE_REMOTE_ID, FILE_UPDATE_THUMBNAIL, FILE_IS_DOWNLOADING, FILE_ETAG_IN_CONFLICT, FILE_FAVORITE};
+
+        public static final String FILE_DEFAULT_SORT_ORDER = FILE_NAME + " collate nocase asc";
 
         // Columns of ocshares table
         public static final String OCSHARES_FILE_SOURCE = "file_source";

+ 21 - 2
src/main/java/com/owncloud/android/providers/FileContentProvider.java

@@ -53,6 +53,7 @@ import com.owncloud.android.utils.MimeType;
 
 import java.io.File;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.Locale;
 
 /**
@@ -459,7 +460,7 @@ public class FileContentProvider extends ContentProvider {
     private Cursor query(
             SQLiteDatabase db,
             Uri uri,
-            String[] projection,
+            String[] projectionArray,
             String selection,
             String[] selectionArgs,
             String sortOrder
@@ -579,7 +580,25 @@ public class FileContentProvider extends ContentProvider {
 
         // DB case_sensitive
         db.execSQL("PRAGMA case_sensitive_like = true");
-        Cursor c = sqlQuery.query(db, projection, selection, selectionArgs, null, null, order);
+
+        // only file list is accessible via content provider, so only this has to be protected with projectionMap
+        if (mUriMatcher.match(uri) == ROOT_DIRECTORY && projectionArray != null) {
+            HashMap<String, String> projectionMap = new HashMap<>();
+
+            for (String projection : ProviderTableMeta.FILE_ALL_COLUMNS) {
+                projectionMap.put(projection, projection);
+            }
+
+            sqlQuery.setProjectionMap(projectionMap);
+        }
+
+        if (selectionArgs == null) {
+            selectionArgs = new String[]{selection};
+            selection = "(?)";
+        }
+
+        sqlQuery.setStrict(true);
+        Cursor c = sqlQuery.query(db, projectionArray, selection, selectionArgs, null, null, order);
         c.setNotificationUri(getContext().getContentResolver(), uri);
         return c;
     }