disable script dump
Change-Id: I04d740cc0fcf87daa192a0a6af34138278043a19 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/146905 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolanm@redhat.com>
This commit is contained in:
Caolán McNamara
parent
f4238ed900
commit
6190a8210e
3 changed files with 68 additions and 0 deletions
|
|
@ -291,6 +291,37 @@ namespace connectivity
|
|||
} // if ( xStream.is() )
|
||||
::comphelper::disposeComponent(xStream);
|
||||
}
|
||||
|
||||
// disallow any database/script files that contain a "SCRIPT[.*]" entry (this is belt and braces
|
||||
// in that bundled hsqldb 1.8.0 is patched to also reject them)
|
||||
//
|
||||
// hsqldb 2.6.0 release notes have: added system role SCRIPT_OPS for export / import of database structure and data
|
||||
// which seems to provide a builtin way to do this with contemporary hsqldb
|
||||
static const OUStringLiteral sScript(u"script");
|
||||
if (!bIsNewDatabase && xStorage->isStreamElement(sScript))
|
||||
{
|
||||
Reference<XStream > xStream = xStorage->openStreamElement(sScript, ElementModes::READ);
|
||||
if (xStream.is())
|
||||
{
|
||||
std::unique_ptr<SvStream> pStream(::utl::UcbStreamHelper::CreateStream(xStream));
|
||||
if (pStream)
|
||||
{
|
||||
OStringBuffer sLine;
|
||||
while (pStream->ReadLine(sLine))
|
||||
{
|
||||
OString sText = sLine.makeStringAndClear().trim();
|
||||
if (sText.startsWithIgnoreAsciiCase("SCRIPT"))
|
||||
{
|
||||
::connectivity::SharedResources aResources;
|
||||
sMessage = aResources.getResourceString(STR_COULD_NOT_LOAD_FILE).replaceFirst("$filename$", sSystemPath);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
} // if ( xStream.is() )
|
||||
::comphelper::disposeComponent(xStream);
|
||||
}
|
||||
|
||||
}
|
||||
catch(Exception&)
|
||||
{
|
||||
|
|
|
|||
1
external/hsqldb/UnpackedTarball_hsqldb.mk
vendored
1
external/hsqldb/UnpackedTarball_hsqldb.mk
vendored
|
|
@ -27,6 +27,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hsqldb,\
|
|||
external/hsqldb/patches/hsqldb-runFinalizersOnExit.patch \
|
||||
external/hsqldb/patches/jdbc-4.1.patch \
|
||||
external/hsqldb/patches/multipleResultSets.patch \
|
||||
external/hsqldb/patches/disable-dump-script.patch \
|
||||
))
|
||||
|
||||
# vim: set noet sw=4 ts=4:
|
||||
|
|
|
|||
36
external/hsqldb/patches/disable-dump-script.patch
vendored
Normal file
36
external/hsqldb/patches/disable-dump-script.patch
vendored
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
--- a/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13 11:08:11.297243034 +0000
|
||||
+++ b/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13 13:49:17.973089433 +0000
|
||||
@@ -392,31 +392,19 @@
|
||||
*/
|
||||
private Result processScript() throws IOException, HsqlException {
|
||||
|
||||
- String token = tokenizer.getString();
|
||||
- ScriptWriterText dsw = null;
|
||||
+ tokenizer.getString();
|
||||
|
||||
session.checkAdmin();
|
||||
|
||||
try {
|
||||
if (tokenizer.wasValue()) {
|
||||
- if (tokenizer.getType() != Types.VARCHAR) {
|
||||
- throw Trace.error(Trace.INVALID_IDENTIFIER);
|
||||
- }
|
||||
-
|
||||
- dsw = new ScriptWriterText(database, token, true, true, true);
|
||||
-
|
||||
- dsw.writeAll();
|
||||
-
|
||||
- return new Result(ResultConstants.UPDATECOUNT);
|
||||
+ throw Trace.error(Trace.ACCESS_IS_DENIED);
|
||||
} else {
|
||||
tokenizer.back();
|
||||
|
||||
return DatabaseScript.getScript(database, false);
|
||||
}
|
||||
} finally {
|
||||
- if (dsw != null) {
|
||||
- dsw.close();
|
||||
- }
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in a new issue