search

bailuk / AAT

Another Activity Tracker for Android
https://bailu.ch/aat
GNU General Public License v3.0
156 stars 41 forks source link

SQL injection vulnerability in GpxDatabase.deleteEntry() #87

Closed MaxKellermann closed 4 years ago

MaxKellermann commented 4 years ago

With a crafted filename, the following may inject arbitrary SQL conditions: https://github.com/bailuk/AAT/blob/a65fbc62acefa879c5fdcbe359268a497d40c7b6/app/src/main/java/ch/bailu/aat/services/directory/GpxDatabase.java#L63-L64