diff options
author | Fyodor Kupolov <fkupolov@google.com> | 2018-03-26 15:49:03 -0700 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2018-06-08 19:06:58 +0200 |
commit | 7adc7a087fd07eefb1e811fd4bb3ca882fcd9ae4 (patch) | |
tree | 70b260769e8ebc06077dc44a2471c673ffb35888 | |
parent | 0f844d2de683579eb59a83d630ffd13488dff90f (diff) | |
download | android_packages_providers_UserDictionaryProvider-7adc7a087fd07eefb1e811fd4bb3ca882fcd9ae4.tar.gz android_packages_providers_UserDictionaryProvider-7adc7a087fd07eefb1e811fd4bb3ca882fcd9ae4.tar.bz2 android_packages_providers_UserDictionaryProvider-7adc7a087fd07eefb1e811fd4bb3ca882fcd9ae4.zip |
Check caller before accessing databasereplicant-6.0-0004-rc1
Test: Manual using PoC app
Bug: 75298708
Change-Id: I9e495fd94588e9a3fccfa2da1a9a7fcfd7f2ffa7
(cherry picked from commit 136dc9b3b628493e32446325de39b10d9bc5cb77)
CVE-2018-9375
-rw-r--r-- | src/com/android/providers/userdictionary/UserDictionaryProvider.java | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/src/com/android/providers/userdictionary/UserDictionaryProvider.java b/src/com/android/providers/userdictionary/UserDictionaryProvider.java index e653047..a840ea9 100644 --- a/src/com/android/providers/userdictionary/UserDictionaryProvider.java +++ b/src/com/android/providers/userdictionary/UserDictionaryProvider.java @@ -147,6 +147,11 @@ public class UserDictionaryProvider extends ContentProvider { @Override public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) { + // Only the enabled IMEs and spell checkers can access this provider. + if (!canCallerAccessUserDictionary()) { + return getEmptyCursorOrThrow(projection); + } + SQLiteQueryBuilder qb = new SQLiteQueryBuilder(); switch (sUriMatcher.match(uri)) { @@ -165,11 +170,6 @@ public class UserDictionaryProvider extends ContentProvider { throw new IllegalArgumentException("Unknown URI " + uri); } - // Only the enabled IMEs and spell checkers can access this provider. - if (!canCallerAccessUserDictionary()) { - return getEmptyCursorOrThrow(projection); - } - // If no sort order is specified use the default String orderBy; if (TextUtils.isEmpty(sortOrder)) { @@ -252,6 +252,11 @@ public class UserDictionaryProvider extends ContentProvider { @Override public int delete(Uri uri, String where, String[] whereArgs) { + // Only the enabled IMEs and spell checkers can access this provider. + if (!canCallerAccessUserDictionary()) { + return 0; + } + SQLiteDatabase db = mOpenHelper.getWritableDatabase(); int count; switch (sUriMatcher.match(uri)) { @@ -269,11 +274,6 @@ public class UserDictionaryProvider extends ContentProvider { throw new IllegalArgumentException("Unknown URI " + uri); } - // Only the enabled IMEs and spell checkers can access this provider. - if (!canCallerAccessUserDictionary()) { - return 0; - } - getContext().getContentResolver().notifyChange(uri, null); mBackupManager.dataChanged(); return count; @@ -281,6 +281,11 @@ public class UserDictionaryProvider extends ContentProvider { @Override public int update(Uri uri, ContentValues values, String where, String[] whereArgs) { + // Only the enabled IMEs and spell checkers can access this provider. + if (!canCallerAccessUserDictionary()) { + return 0; + } + SQLiteDatabase db = mOpenHelper.getWritableDatabase(); int count; switch (sUriMatcher.match(uri)) { @@ -298,11 +303,6 @@ public class UserDictionaryProvider extends ContentProvider { throw new IllegalArgumentException("Unknown URI " + uri); } - // Only the enabled IMEs and spell checkers can access this provider. - if (!canCallerAccessUserDictionary()) { - return 0; - } - getContext().getContentResolver().notifyChange(uri, null); mBackupManager.dataChanged(); return count; |