When using Single Table Inheritance in a MySQL environment, the DiscriminatorValue is sent to the server unescaped, causing inconsistent behaviour.
For example the following annotation will cause a SQL error as it messes up the entire query:
{code:java} @DiscriminatorValue("Dis'criminator") {code}
While this may not necessarily be a security problem, as this isn't based on user input, it is still incorrect behaviour. Let me explain:
{code:java} @DiscriminatorValue("App\\Models\\Slacker") {code}
Above annotation results in INSERTS INSERTs with an actual value of "AppModelsSlacker" as single backslashes are sent to the server unescaped. The server interprets them as escaping the next character therefore removing them in the final string.
Now, when fetching this model *through a relation*, e.g. fetching a Slacker (extends Student) through SchoolClass (which has Students), the ORM will throw an WrongClassException, as the fetched DiscriminatorValue will be "AppModelsSlacker", but it matched against "App\Models\Slacker".
Obviously this also makes working with the same database from different applications quite troublesome. In my case PHP on one side (hence the FQ namespaces), Java on the other.
(SingleTableEntityPersister.java:327 is where the discriminatorSQLValue is fetched)
On request I can submit my test case somewhere (where?), however as it requires a MySQL server I did not think it would help much. |
|