disable script dump

Change-Id: I04d740cc0fcf87daa192a0a6af34138278043a19
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/146905
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
This commit is contained in:
Caolán McNamara 2023-02-13 13:56:10 +00:00
parent f4238ed900
commit 6190a8210e
3 changed files with 68 additions and 0 deletions

View file

@ -291,6 +291,37 @@ namespace connectivity
} // if ( xStream.is() ) } // if ( xStream.is() )
::comphelper::disposeComponent(xStream); ::comphelper::disposeComponent(xStream);
} }
// disallow any database/script files that contain a "SCRIPT[.*]" entry (this is belt and braces
// in that bundled hsqldb 1.8.0 is patched to also reject them)
//
// hsqldb 2.6.0 release notes have: added system role SCRIPT_OPS for export / import of database structure and data
// which seems to provide a builtin way to do this with contemporary hsqldb
static const OUStringLiteral sScript(u"script");
if (!bIsNewDatabase && xStorage->isStreamElement(sScript))
{
Reference<XStream > xStream = xStorage->openStreamElement(sScript, ElementModes::READ);
if (xStream.is())
{
std::unique_ptr<SvStream> pStream(::utl::UcbStreamHelper::CreateStream(xStream));
if (pStream)
{
OStringBuffer sLine;
while (pStream->ReadLine(sLine))
{
OString sText = sLine.makeStringAndClear().trim();
if (sText.startsWithIgnoreAsciiCase("SCRIPT"))
{
::connectivity::SharedResources aResources;
sMessage = aResources.getResourceString(STR_COULD_NOT_LOAD_FILE).replaceFirst("$filename$", sSystemPath);
break;
}
}
}
} // if ( xStream.is() )
::comphelper::disposeComponent(xStream);
}
} }
catch(Exception&) catch(Exception&)
{ {

View file

@ -27,6 +27,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hsqldb,\
external/hsqldb/patches/hsqldb-runFinalizersOnExit.patch \ external/hsqldb/patches/hsqldb-runFinalizersOnExit.patch \
external/hsqldb/patches/jdbc-4.1.patch \ external/hsqldb/patches/jdbc-4.1.patch \
external/hsqldb/patches/multipleResultSets.patch \ external/hsqldb/patches/multipleResultSets.patch \
external/hsqldb/patches/disable-dump-script.patch \
)) ))
# vim: set noet sw=4 ts=4: # vim: set noet sw=4 ts=4:

View file

@ -0,0 +1,36 @@
--- a/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13 11:08:11.297243034 +0000
+++ b/hsqldb/src/org/hsqldb/DatabaseCommandInterpreter.java 2023-02-13 13:49:17.973089433 +0000
@@ -392,31 +392,19 @@
*/
private Result processScript() throws IOException, HsqlException {
- String token = tokenizer.getString();
- ScriptWriterText dsw = null;
+ tokenizer.getString();
session.checkAdmin();
try {
if (tokenizer.wasValue()) {
- if (tokenizer.getType() != Types.VARCHAR) {
- throw Trace.error(Trace.INVALID_IDENTIFIER);
- }
-
- dsw = new ScriptWriterText(database, token, true, true, true);
-
- dsw.writeAll();
-
- return new Result(ResultConstants.UPDATECOUNT);
+ throw Trace.error(Trace.ACCESS_IS_DENIED);
} else {
tokenizer.back();
return DatabaseScript.getScript(database, false);
}
} finally {
- if (dsw != null) {
- dsw.close();
- }
}
}