Overview

File hsqldb-CVE-2022-41853.patch of Package hsqldb.26565

From b6719c67b41eb9298c2451ad2829bf03b262a941 Mon Sep 17 00:00:00 2001
From: Fred Toussi <fredt@users.sf.net>
Date: Tue, 27 Sep 2022 09:49:41 +0000
Subject: [PATCH] core code updates - Java methods used in routines must now be
 in hsqldb.method_class_names value string

git-svn-id: http://svn.code.sf.net/p/hsqldb/svn/base/trunk@6614 7c7dc5f5-a22d-0410-a3af-b41755a11667
---
 .../persist/HsqlDatabaseProperties.java       | 25 +++----------------
 1 file changed, 4 insertions(+), 21 deletions(-)

Index: hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java
===================================================================
--- hsqldb.orig/src/org/hsqldb/persist/HsqlDatabaseProperties.java
+++ hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java
@@ -56,24 +56,23 @@ public class HsqlDatabaseProperties exte
         "hsqldb.method_class_names";
     public static final String textdb_allow_full_path =
         "textdb.allow_full_path";
-    private static HashSet accessibleJavaMethodNames;
+    public static String methodClassNames;
+    private static final HashSet accessibleJavaMethodNames = new HashSet();
     private static boolean allowFullPath;
 
     static {
         try {
-            String prop = System.getProperty(hsqldb_method_class_names);
+            methodClassNames = System.getProperty(hsqldb_method_class_names);
 
-            if (prop != null) {
-                accessibleJavaMethodNames = new HashSet();
-
-                String[] names = StringUtil.split(prop, ";");
+            if (methodClassNames != null) {
+                String[] names = StringUtil.split(methodClassNames, ";");
 
                 for (int i = 0; i < names.length; i++) {
                     accessibleJavaMethodNames.add(names[i]);
                 }
             }
 
-            prop = System.getProperty(textdb_allow_full_path);
+            String prop = System.getProperty(textdb_allow_full_path);
 
             if (prop != null) {
                 if (Boolean.valueOf(prop)) {
@@ -85,7 +84,7 @@ public class HsqlDatabaseProperties exte
 
     /**
      * If the system property "hsqldb.method_class_names" is not set, then
-     * static methods of all available Java classes can be accessed as functions
+     * static methods of available Java classes cannot be accessed as functions
      * in HSQLDB. If the property is set, then only the list of semicolon
      * seperated method names becomes accessible. An empty property value means
      * no class is accessible.<p>
@@ -98,10 +97,6 @@ public class HsqlDatabaseProperties exte
      */
     public static boolean supportsJavaMethod(String name) {
 
-        if (accessibleJavaMethodNames == null) {
-            return true;
-        }
-
         if (name.startsWith("java.lang.Math.")) {
             return true;
         }
openSUSE Build Service is sponsored by
Places