From 304f6fcb4e9124b9dbabf3ae28a3a7d21942429f Mon Sep 17 00:00:00 2001
From: Mikolaj Izdebski <mizdebsk@redhat.com>
Date: Mon, 7 Nov 2022 10:06:16 +0100
Subject: [PATCH] Fix CVE-2022-41853
Backport upstream fix for CVE-2022-41853 from SVN r6614.
Java methods used in routines must now be in hsqldb.method_class_names
value string.
https://sourceforge.net/p/hsqldb/svn/6614
---
src/org/hsqldb/persist/HsqlDatabaseProperties.java | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/src/org/hsqldb/persist/HsqlDatabaseProperties.java b/src/org/hsqldb/persist/HsqlDatabaseProperties.java
index 2033183..b2012c2 100644
--- a/src/org/hsqldb/persist/HsqlDatabaseProperties.java
+++ b/src/org/hsqldb/persist/HsqlDatabaseProperties.java
@@ -57,14 +57,13 @@ public class HsqlDatabaseProperties extends HsqlProperties {
private static String hsqldb_method_class_names =
"hsqldb.method_class_names";
- private static HashSet accessibleJavaMethodNames;
+ private static HashSet accessibleJavaMethodNames = new HashSet();
static {
try {
String prop = System.getProperty(hsqldb_method_class_names);
if (prop != null) {
- accessibleJavaMethodNames = new HashSet();
String[] names = StringUtil.split(prop, ";");
@@ -77,7 +76,7 @@ public class HsqlDatabaseProperties extends HsqlProperties {
/**
* If the system property "hsqldb.method_class_names" is not set, then
- * static methods of all available Java classes can be accessed as functions
+ * static methods of available Java classes cannot be accessed as functions
* in HSQLDB. If the property is set, then only the list of semicolon
* seperated method names becomes accessible. An empty property value means
* no class is accessible.<p>
@@ -93,10 +92,6 @@ public class HsqlDatabaseProperties extends HsqlProperties {
*/
public static boolean supportsJavaMethod(String name) {
- if (accessibleJavaMethodNames == null) {
- return true;
- }
-
if (name.startsWith("org.hsqldb.Library.")) {
return true;
}
--
2.37.3