From 304f6fcb4e9124b9dbabf3ae28a3a7d21942429f Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Mon, 7 Nov 2022 10:06:16 +0100 Subject: [PATCH] Fix CVE-2022-41853 Backport upstream fix for CVE-2022-41853 from SVN r6614. Java methods used in routines must now be in hsqldb.method_class_names value string. https://sourceforge.net/p/hsqldb/svn/6614 --- src/org/hsqldb/persist/HsqlDatabaseProperties.java | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/src/org/hsqldb/persist/HsqlDatabaseProperties.java b/src/org/hsqldb/persist/HsqlDatabaseProperties.java index 2033183..b2012c2 100644 --- a/src/org/hsqldb/persist/HsqlDatabaseProperties.java +++ b/src/org/hsqldb/persist/HsqlDatabaseProperties.java @@ -57,14 +57,13 @@ public class HsqlDatabaseProperties extends HsqlProperties { private static String hsqldb_method_class_names = "hsqldb.method_class_names"; - private static HashSet accessibleJavaMethodNames; + private static HashSet accessibleJavaMethodNames = new HashSet(); static { try { String prop = System.getProperty(hsqldb_method_class_names); if (prop != null) { - accessibleJavaMethodNames = new HashSet(); String[] names = StringUtil.split(prop, ";"); @@ -77,7 +76,7 @@ public class HsqlDatabaseProperties extends HsqlProperties { /** * If the system property "hsqldb.method_class_names" is not set, then - * static methods of all available Java classes can be accessed as functions + * static methods of available Java classes cannot be accessed as functions * in HSQLDB. If the property is set, then only the list of semicolon * seperated method names becomes accessible. An empty property value means * no class is accessible.

@@ -93,10 +92,6 @@ public class HsqlDatabaseProperties extends HsqlProperties { */ public static boolean supportsJavaMethod(String name) { - if (accessibleJavaMethodNames == null) { - return true; - } - if (name.startsWith("org.hsqldb.Library.")) { return true; } -- 2.37.3