connectivity/source/drivers/hsqldb/HDriver.cxx | 31 ++++++++++++++++++
external/hsqldb/UnpackedTarball_hsqldb.mk | 1
external/hsqldb/patches/disable-dump-script.patch | 36 ++++++++++++++++++++++
3 files changed, 68 insertions(+)
New commits:
commit 4cfc31d2be169befdb72b8296bec0815d72d44c6
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Feb 13 13:56:10 2023 +0000
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Mon Feb 13 21:02:32 2023 +0100
disable script dump
Change-Id: I04d740cc0fcf87daa192a0a6af34138278043a19
diff --git a/connectivity/source/drivers/hsqldb/HDriver.cxx
b/connectivity/source/drivers/hsqldb/HDriver.cxx
index 09686ef6dbdf..1d3f13e5718b 100644
--- a/connectivity/source/drivers/hsqldb/HDriver.cxx
+++ b/connectivity/source/drivers/hsqldb/HDriver.cxx
@@ -291,6 +291,37 @@ namespace connectivity
} // if ( xStream.is() )
::comphelper::disposeComponent(xStream);
}
+
+ // disallow any database/script files that contain a
"SCRIPT[.*]" entry (this is belt and braces
+ // in that bundled hsqldb 1.8.0 is patched to also reject
them)
+ //
+ // hsqldb 2.6.0 release notes have: added system role
SCRIPT_OPS for export / import of database structure and data
+ // which seems to provide a builtin way to do this with
contemporary hsqldb
+ static const OUStringLiteral sScript(u"script");
+ if (!bIsNewDatabase && xStorage->isStreamElement(sScript))
+ {
+ Reference<XStream > xStream =
xStorage->openStreamElement(sScript, ElementModes::READ);
+ if (xStream.is())
+ {
+ std::unique_ptr<SvStream>
pStream(::utl::UcbStreamHelper::CreateStream(xStream));
+ if (pStream)
+ {
+ OStringBuffer sLine;
+ while (pStream->ReadLine(sLine))
+ {
+ OString sText =
sLine.makeStringAndClear().trim();
+ if
(sText.startsWithIgnoreAsciiCase("SCRIPT"))
+ {
+ ::connectivity::SharedResources
aResources;
+ sMessage =
aResources.getResourceString(STR_COULD_NOT_LOAD_FILE).replaceFirst("$filename$",
sSystemPath);
+ break;
+ }
+ }
+ }
+ } // if ( xStream.is() )
+ ::comphelper::disposeComponent(xStream);
+ }
+
}
catch(Exception&)
{
diff --git a/external/hsqldb/UnpackedTarball_hsqldb.mk
b/external/hsqldb/UnpackedTarball_hsqldb.mk
index 389572377fa6..0b05b45ba3c3 100644
--- a/external/hsqldb/UnpackedTarball_hsqldb.mk
+++ b/external/hsqldb/UnpackedTarball_hsqldb.mk
@@ -27,6 +27,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hsqldb,\
external/hsqldb/patches/hsqldb-runFinalizersOnExit.patch \
external/hsqldb/patches/jdbc-4.1.patch \
external/hsqldb/patches/multipleResultSets.patch \
+ external/hsqldb/patches/disable-dump-script.patch \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/hsqldb/patches/disable-dump-script.patch
b/external/hsqldb/patches/disable-dump-script.patch
new file mode 100644
index 000000000000..13e0213f7e57
--- /dev/null
+++ b/external/hsqldb/patches/disable-dump-script.patch
@@ -0,0 +1,36 @@
+--- a/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13
11:08:11.297243034 +0000
++++ b/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13
13:49:17.973089433 +0000
+@@ -392,31 +392,19 @@
+ */
+ private Result processScript() throws IOException, HsqlException {
+
+- String token = tokenizer.getString();
+- ScriptWriterText dsw = null;
++ tokenizer.getString();
+
+ session.checkAdmin();
+
+ try {
+ if (tokenizer.wasValue()) {
+- if (tokenizer.getType() != Types.VARCHAR) {
+- throw Trace.error(Trace.INVALID_IDENTIFIER);
+- }
+-
+- dsw = new ScriptWriterText(database, token, true, true, true);
+-
+- dsw.writeAll();
+-
+- return new Result(ResultConstants.UPDATECOUNT);
++ throw Trace.error(Trace.ACCESS_IS_DENIED);
+ } else {
+ tokenizer.back();
+
+ return DatabaseScript.getScript(database, false);
+ }
+ } finally {
+- if (dsw != null) {
+- dsw.close();
+- }
+ }
+ }
+
