[jboss-cvs] Repository SVN: r2175 - in hsqldb/1.8.0.8-brew: lib and 1 other directories.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Mon Dec 17 20:28:42 EST 2007 

Author: fnasser at redhat.com
Date: 2007-12-17 20:28:41 -0500 (Mon, 17 Dec 2007)
New Revision: 2175

Added:
   hsqldb/1.8.0.8-brew/src/hsqldb-1.8.0.8-backport.patch
Modified:
   hsqldb/1.8.0.8-brew/component-info.xml
   hsqldb/1.8.0.8-brew/lib/hsqldb.jar
Log:
CVE-2007-4576

Modified: hsqldb/1.8.0.8-brew/component-info.xml
===================================================================
--- hsqldb/1.8.0.8-brew/component-info.xml	2007-12-18 01:01:38 UTC (rev 2174)
+++ hsqldb/1.8.0.8-brew/component-info.xml	2007-12-18 01:28:41 UTC (rev 2175)
@@ -3,9 +3,9 @@
               version="1.8.0.8-brew"
               licenseType="hsqldb"
               projectHome="http://hsqldb.org/"
-              description="Java relational database engine supporting a subset of ANSI-92 SQL plus SQL 99 and 2003 enhancements"
+              description="Java relational database engine supporting a subset of ANSI-92 SQL plus SQL 99 and 2003 enhancements (with fix for CVE-2007-4576)"
               scm=":ext:cvs.devel.redhat.com:/cvs/dist/hsqldb"
-              tag="hsqldb-1_8_0_8-1jpp_ep1_1">
+              tag="hsqldb-1_8_0_8-1jpp_ep1_5">
       <!-- Built using JDK 1.4 -->
       <artifact id="hsqldb.jar"/>
       <export>

Modified: hsqldb/1.8.0.8-brew/lib/hsqldb.jar
===================================================================
(Binary files differ)

Added: hsqldb/1.8.0.8-brew/src/hsqldb-1.8.0.8-backport.patch
===================================================================
--- hsqldb/1.8.0.8-brew/src/hsqldb-1.8.0.8-backport.patch	                        (rev 0)
+++ hsqldb/1.8.0.8-brew/src/hsqldb-1.8.0.8-backport.patch	2007-12-18 01:28:41 UTC (rev 2175)
@@ -0,0 +1,90 @@
+--- hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java.orig	2007-10-19 13:25:36.000000000 -0400
++++ hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java	2007-10-23 14:54:25.000000000 -0400
+@@ -44,6 +44,7 @@ import org.hsqldb.lib.Set;
+ import org.hsqldb.lib.SimpleLog;
+ import org.hsqldb.lib.java.JavaSystem;
+ import org.hsqldb.store.ValuePool;
++import org.hsqldb.lib.StringUtil;
+ 
+ /**
+  * Manages a .properties file for a database.
+@@ -53,6 +54,53 @@ import org.hsqldb.store.ValuePool;
+  * @since 1.7.0
+  */
+ public class HsqlDatabaseProperties extends HsqlProperties {
++    private static String hsqldb_method_class_names =
++        "hsqldb.method_class_names";
++    private static HashSet accessibleJavaMethodNames;
++
++    static {
++        try {
++            String prop = System.getProperty(hsqldb_method_class_names);
++
++            if (prop != null) {
++                accessibleJavaMethodNames = new HashSet();
++
++                String[] names = StringUtil.split(prop, ";");
++
++                for (int i = 0; i < names.length; i++) {
++                    accessibleJavaMethodNames.add(names[i]);
++                }
++            }
++        } catch (Exception e) {}
++    }
++
++    /**
++     * If the system property "hsqldb.method_class_names" is not set, then
++     * static methods of all available Java classes can be accessed as functions
++     * in HSQLDB. If the property is set, then only the list of semicolon
++     * seperated method names becomes accessible. An empty property value means
++     * no class is accessible.<p>
++     *
++     * All methods of org.hsqldb.Library are always accessible.
++     *
++     *
++     */
++    public static boolean supportsJavaMethod(String name) {
++
++        if (name.startsWith("org.hsqldb.Library")) {
++            return true;
++        }
++
++        if (accessibleJavaMethodNames == null) {
++            return true;
++        }
++
++        if (accessibleJavaMethodNames.contains(name)) {
++            return true;
++        }
++
++        return false;
++    }
+ 
+     // column number mappings
+     public static final int indexName         = 0;
+--- hsqldb/src/org/hsqldb/Database.java.orig	2007-10-19 13:24:32.000000000 -0400
++++ hsqldb/src/org/hsqldb/Database.java	2007-10-23 14:55:07.000000000 -0400
+@@ -473,12 +473,19 @@ public class Database {
+      *  the given method alias. If there is no Java method, then returns the
+      *  alias itself.
+      */
+-    String getJavaName(String s) {
++    String getJavaName(String name) throws HsqlException {
+ 
+-        String alias = (String) hAlias.get(s);
++        String target = (String) hAlias.get(name);
+ 
+-        return (alias == null) ? s
+-                               : alias;
++        if (target == null) {
++            target = name;
++        }
++
++        if (HsqlDatabaseProperties.supportsJavaMethod(target)) {
++            return target;
++        }
++
++        throw Trace.error(Trace.ACCESS_IS_DENIED, target);
+     }
+ 
+     /**

More information about the jboss-cvs-commits mailing list