connectivity/source/drivers/hsqldb/HDriver.cxx| 31 ++
external/hsqldb/UnpackedTarball_hsqldb.mk |1
external/hsqldb/patches/disable-dump-script.patch | 36 ++
3 files changed, 68 insertions(+)
New commits:
commit 4cfc31d2be169befdb72b8296bec0815d72d44c6
Author: Caolán McNamara
AuthorDate: Mon Feb 13 13:56:10 2023 +
Commit: Andras Timar
CommitDate: Mon Feb 13 21:02:32 2023 +0100
disable script dump
Change-Id: I04d740cc0fcf87daa192a0a6af34138278043a19
diff --git a/connectivity/source/drivers/hsqldb/HDriver.cxx
b/connectivity/source/drivers/hsqldb/HDriver.cxx
index 09686ef6dbdf..1d3f13e5718b 100644
--- a/connectivity/source/drivers/hsqldb/HDriver.cxx
+++ b/connectivity/source/drivers/hsqldb/HDriver.cxx
@@ -291,6 +291,37 @@ namespace connectivity
} // if ( xStream.is() )
::comphelper::disposeComponent(xStream);
}
+
+// disallow any database/script files that contain a
"SCRIPT[.*]" entry (this is belt and braces
+// in that bundled hsqldb 1.8.0 is patched to also reject
them)
+//
+// hsqldb 2.6.0 release notes have: added system role
SCRIPT_OPS for export / import of database structure and data
+// which seems to provide a builtin way to do this with
contemporary hsqldb
+static const OUStringLiteral sScript(u"script");
+if (!bIsNewDatabase && xStorage->isStreamElement(sScript))
+{
+Reference xStream =
xStorage->openStreamElement(sScript, ElementModes::READ);
+if (xStream.is())
+{
+std::unique_ptr
pStream(::utl::UcbStreamHelper::CreateStream(xStream));
+if (pStream)
+{
+OStringBuffer sLine;
+while (pStream->ReadLine(sLine))
+{
+OString sText =
sLine.makeStringAndClear().trim();
+if
(sText.startsWithIgnoreAsciiCase("SCRIPT"))
+{
+::connectivity::SharedResources
aResources;
+sMessage =
aResources.getResourceString(STR_COULD_NOT_LOAD_FILE).replaceFirst("$filename$",
sSystemPath);
+break;
+}
+}
+}
+} // if ( xStream.is() )
+::comphelper::disposeComponent(xStream);
+}
+
}
catch(Exception&)
{
diff --git a/external/hsqldb/UnpackedTarball_hsqldb.mk
b/external/hsqldb/UnpackedTarball_hsqldb.mk
index 389572377fa6..0b05b45ba3c3 100644
--- a/external/hsqldb/UnpackedTarball_hsqldb.mk
+++ b/external/hsqldb/UnpackedTarball_hsqldb.mk
@@ -27,6 +27,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hsqldb,\
external/hsqldb/patches/hsqldb-runFinalizersOnExit.patch \
external/hsqldb/patches/jdbc-4.1.patch \
external/hsqldb/patches/multipleResultSets.patch \
+ external/hsqldb/patches/disable-dump-script.patch \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/hsqldb/patches/disable-dump-script.patch
b/external/hsqldb/patches/disable-dump-script.patch
new file mode 100644
index ..13e0213f7e57
--- /dev/null
+++ b/external/hsqldb/patches/disable-dump-script.patch
@@ -0,0 +1,36 @@
+--- a/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java2023-02-13
11:08:11.297243034 +
b/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java2023-02-13
13:49:17.973089433 +
+@@ -392,31 +392,19 @@
+ */
+ private Result processScript() throws IOException, HsqlException {
+
+-String token = tokenizer.getString();
+-ScriptWriterText dsw = null;
++tokenizer.getString();
+
+ session.checkAdmin();
+
+ try {
+ if (tokenizer.wasValue()) {
+-if (tokenizer.getType() != Types.VARCHAR) {
+-throw Trace.error(Trace.INVALID_IDENTIFIER);
+-}
+-
+-dsw = new ScriptWriterText(database, token, true, true, true);
+-
+-dsw.writeAll();
+-
+-return new Result(ResultConstants.UPDATECOUNT);
++throw Trace.error(Trace.ACCESS_IS_DENIED);
+ } else {
+ tokenizer.back();
+
+ return DatabaseScript.getScript(database, false);
+ }
+ } finally {
+-if (dsw != null) {
+-dsw.close();
+-}
+ }
+ }
+