configure.ac | 2 -
connectivity/source/drivers/hsqldb/HDriver.cxx | 31 ++++++++++++++++++
external/hsqldb/UnpackedTarball_hsqldb.mk | 1
external/hsqldb/patches/disable-dump-script.patch | 36 ++++++++++++++++++++++
4 files changed, 69 insertions(+), 1 deletion(-)
New commits:
commit c3a3895df8871cc1dc3cf253fe879df3d5a62b48
Author: Andras Timar <andras.ti...@collabora.com>
AuthorDate: Thu Feb 16 10:26:03 2023 +0100
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Feb 16 10:26:03 2023 +0100
Bump version to 22.05.10.2
Change-Id: I0105d567e6ca124b2d5b5485ebd1d0292d6a5ef2
diff --git a/configure.ac b/configure.ac
index 0d3ef9eb027e..87fe374be6b2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -9,7 +9,7 @@ dnl in order to create a configure script.
# several non-alphanumeric characters, those are split off and used only for
the
# ABOUTBOXPRODUCTVERSIONSUFFIX in openoffice.lst. Why that is necessary, no
idea.
-AC_INIT([Collabora Office],[22.05.10.1],[],[],[https://collaboraoffice.com/])
+AC_INIT([Collabora Office],[22.05.10.2],[],[],[https://collaboraoffice.com/])
dnl libnumbertext needs autoconf 2.68, but that can pick up autoconf268 just
fine if it is installed
dnl whereas aclocal (as run by autogen.sh) insists on using autoconf and fails
hard
commit f7153594f028c09f9510141ee532ed30982f3112
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Feb 13 13:56:10 2023 +0000
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Feb 16 10:25:39 2023 +0100
disable script dump
Change-Id: I04d740cc0fcf87daa192a0a6af34138278043a19
diff --git a/connectivity/source/drivers/hsqldb/HDriver.cxx
b/connectivity/source/drivers/hsqldb/HDriver.cxx
index 962e574879cf..5ef40fbd6914 100644
--- a/connectivity/source/drivers/hsqldb/HDriver.cxx
+++ b/connectivity/source/drivers/hsqldb/HDriver.cxx
@@ -290,6 +290,37 @@ namespace connectivity
} // if ( xStream.is() )
::comphelper::disposeComponent(xStream);
}
+
+ // disallow any database/script files that contain a
"SCRIPT[.*]" entry (this is belt and braces
+ // in that bundled hsqldb 1.8.0 is patched to also reject
them)
+ //
+ // hsqldb 2.6.0 release notes have: added system role
SCRIPT_OPS for export / import of database structure and data
+ // which seems to provide a builtin way to do this with
contemporary hsqldb
+ static const OUStringLiteral sScript(u"script");
+ if (!bIsNewDatabase && xStorage->isStreamElement(sScript))
+ {
+ Reference<XStream > xStream =
xStorage->openStreamElement(sScript, ElementModes::READ);
+ if (xStream.is())
+ {
+ std::unique_ptr<SvStream>
pStream(::utl::UcbStreamHelper::CreateStream(xStream));
+ if (pStream)
+ {
+ OStringBuffer sLine;
+ while (pStream->ReadLine(sLine))
+ {
+ OString sText =
sLine.makeStringAndClear().trim();
+ if
(sText.startsWithIgnoreAsciiCase("SCRIPT"))
+ {
+ ::connectivity::SharedResources
aResources;
+ sMessage =
aResources.getResourceString(STR_COULD_NOT_LOAD_FILE).replaceFirst("$filename$",
sSystemPath);
+ break;
+ }
+ }
+ }
+ } // if ( xStream.is() )
+ ::comphelper::disposeComponent(xStream);
+ }
+
}
catch(Exception&)
{
diff --git a/external/hsqldb/UnpackedTarball_hsqldb.mk
b/external/hsqldb/UnpackedTarball_hsqldb.mk
index cbba770f19a0..ed262cccf4ca 100644
--- a/external/hsqldb/UnpackedTarball_hsqldb.mk
+++ b/external/hsqldb/UnpackedTarball_hsqldb.mk
@@ -29,6 +29,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hsqldb,\
external/hsqldb/patches/jdbc-4.1.patch \
external/hsqldb/patches/multipleResultSets.patch \
) \
+ external/hsqldb/patches/disable-dump-script.patch \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/hsqldb/patches/disable-dump-script.patch
b/external/hsqldb/patches/disable-dump-script.patch
new file mode 100644
index 000000000000..13e0213f7e57
--- /dev/null
+++ b/external/hsqldb/patches/disable-dump-script.patch
@@ -0,0 +1,36 @@
+--- a/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13
11:08:11.297243034 +0000
++++ b/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13
13:49:17.973089433 +0000
+@@ -392,31 +392,19 @@
+ */
+ private Result processScript() throws IOException, HsqlException {
+
+- String token = tokenizer.getString();
+- ScriptWriterText dsw = null;
++ tokenizer.getString();
+
+ session.checkAdmin();
+
+ try {
+ if (tokenizer.wasValue()) {
+- if (tokenizer.getType() != Types.VARCHAR) {
+- throw Trace.error(Trace.INVALID_IDENTIFIER);
+- }
+-
+- dsw = new ScriptWriterText(database, token, true, true, true);
+-
+- dsw.writeAll();
+-
+- return new Result(ResultConstants.UPDATECOUNT);
++ throw Trace.error(Trace.ACCESS_IS_DENIED);
+ } else {
+ tokenizer.back();
+
+ return DatabaseScript.getScript(database, false);
+ }
+ } finally {
+- if (dsw != null) {
+- dsw.close();
+- }
+ }
+ }
+
