From ff219c8bf4883c70ff3224769fc615626b7969c8 Mon Sep 17 00:00:00 2001 From: Sameer Prakash Pradhan Date: Fri, 25 May 2018 17:52:53 +0530 Subject: [PATCH] [Non-ACR][email-service][SQL injection issue] Signed-off-by: Sameer Prakash Pradhan Change-Id: Ibfe35f3d0dd72d103d3a78d92a47c5a3555e9f64 --- email-core/email-storage/email-storage.c | 42 ++++++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/email-core/email-storage/email-storage.c b/email-core/email-storage/email-storage.c index 0c357c0..bb86c67 100755 --- a/email-core/email-storage/email-storage.c +++ b/email-core/email-storage/email-storage.c @@ -369,6 +369,7 @@ int shm_fd_for_generating_mail_id = 0; { return_value = function_call; } #endif /* __FEATURE_USE_SHARED_MUTEX_FOR_PROTECTED_FUNC_CALL__ */ + static int emstorage_exec_query_by_prepare_v2(sqlite3 *local_db_handle, char *query_string) { EM_DEBUG_FUNC_BEGIN("local_db_handle[%p] query_string[%p]", local_db_handle, query_string); @@ -1470,6 +1471,42 @@ static int _bind_stmt_field_data_blob(DB_STMT hStmt, int index, void *blob, int return true; } +static int emstorage_exec_query_by_prepare_v2_stmt(sqlite3 *local_db_handle, char *query_string, char * target_mailbox_name, int input_mailbox_id, int target_account_id) +{ + + EM_DEBUG_FUNC_BEGIN("Prepared Statement: local_db_handle[%p] query_string[%p]", local_db_handle, query_string); + int error = EMAIL_ERROR_NONE; + int rc = 0, count = 0; + DB_STMT db_statement = NULL; + + EMSTORAGE_PROTECTED_FUNC_CALL(sqlite3_prepare_v2(local_db_handle, query_string, EM_SAFE_STRLEN(query_string), &db_statement, NULL), rc); + + _bind_stmt_field_data_string(db_statement, count++, target_mailbox_name, 0, EM_SAFE_STRLEN(target_mailbox_name)-1); + _bind_stmt_field_data_int(db_statement, count++, input_mailbox_id); + _bind_stmt_field_data_int(db_statement, count++, target_account_id); + + + EM_DEBUG_DB_EXEC((SQLITE_OK != rc), {error = EMAIL_ERROR_DB_FAILURE; goto FINISH_OFF; }, + ("sqlite3_prepare failed [%d] [%s]", rc, query_string)); + + EMSTORAGE_PROTECTED_FUNC_CALL(sqlite3_step(db_statement), rc); + EM_DEBUG_DB_EXEC((rc != SQLITE_ROW && rc != SQLITE_DONE), {error = EMAIL_ERROR_DB_FAILURE; goto FINISH_OFF; }, + ("sqlite3_step failed [%d] [%s]", rc, query_string)); + +FINISH_OFF: + + if (db_statement != NULL) { + rc = sqlite3_finalize(db_statement); + if (rc != SQLITE_OK) { + EM_DEBUG_EXCEPTION("sqlite3_finalize error [%d]", rc); + error = EMAIL_ERROR_DB_FAILURE; + } + } + + return error; + + +} static int _delete_temp_file(const char *path) { @@ -9949,9 +9986,10 @@ INTERNAL_FUNC int emstorage_move_multiple_mails_on_db(char *multi_user_name, int if (last_comma) *last_comma = ')'; /* replace , with) */ memset(sql_query_string, 0x00, conditional_clause_len); - SNPRINTF(sql_query_string, conditional_clause_len, "UPDATE mail_read_mail_uid_tbl SET mailbox_name = '%s', mailbox_id = %d, account_id = %d %s", target_mailbox_name, input_mailbox_id, target_account_id, conditional_clause); + SNPRINTF(sql_query_string, conditional_clause_len, "UPDATE mail_read_mail_uid_tbl SET mailbox_name = ? mailbox_id = ? account_id = ? %s", conditional_clause); + EM_DEBUG_LOG_SEC("Query [%s]", sql_query_string); - error = emstorage_exec_query_by_prepare_v2(local_db_handle, sql_query_string); + error = emstorage_exec_query_by_prepare_v2_stmt(local_db_handle, sql_query_string, target_mailbox_name, input_mailbox_id, target_account_id); if (error != EMAIL_ERROR_NONE) { EM_DEBUG_EXCEPTION("emstorage_exec_query_by_prepare_v2 failed:[%d]", error); goto FINISH_OFF; -- 2.7.4