ab2a24c126f35ae4aefb469f91094e5972abd8f0 - platform_packages_providers_ContactsProvider

commit	ab2a24c126f35ae4aefb469f91094e5972abd8f0	[log] [tgz]
author	Chiao Cheng <chiaocheng@google.com>	Wed Jul 10 17:31:04 2013 -0700
committer	Chiao Cheng <chiaocheng@google.com>	Fri Jul 12 12:12:38 2013 -0700
tree	e8a25450ec6e86bbca4124f708b6339ea442ce26
parent	629f595e1e2324f7403465d96c4637375cc0c888 [diff]

Do not allow updates to the _data column.

Fixes a security hole where applications can update the data location of
voicemail files to point to arbitrary file paths.

Voicemail provider stores the location of the data file in the _data column.
Applications can update this with an arbitrary file path as long as they
have the ADD_VOICEMAIL permission.  Then they can subsequently read that
voicemail and obtain access to the file. This location is generated by the
provider and does not need to be updated by the applications.

Bug: 9674953
Change-Id: I9c8fc45071a06d627574a52bafbd9e6e172b4bf8

src/com/android/providers/contacts/VoicemailContentTable.java[diff]
src/com/android/providers/contacts/util/DbQueryUtils.java[diff]

2 files changed

tree: e8a25450ec6e86bbca4124f708b6339ea442ce26

res/
src/
tests/
Android.mk
AndroidManifest.xml
CleanSpec.mk
MODULE_LICENSE_APACHE2
NOTICE
proguard.flags