hibernate3/CVE-2019-14900.patch

From cacc327ec6af98a53dc986a98a396761ce77dac8 Mon Sep 17 00:00:00 2001
From: zhanghua1831 <zhanghua1831@163.com>
Date: Fri, 19 Mar 2021 09:12:05 +0800
Subject: [PATCH] HHH-14077: CVE-2019-14900 SQL injection issue in
Hibernate ORM

---
 .../expression/LiteralExpression.java         | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java b/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java
index bd739b7..0104226 100644
--- a/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java
+++ b/hibernate-entitymanager/src/main/java/org/hibernate/ejb/criteria/expression/LiteralExpression.java
@@ -73,17 +73,25 @@ public class LiteralExpression<T> extends ExpressionImpl<T> implements Serializa
 		return ':' + parameterName;
 	}
 
+	private String escapeLiteral(String literal) {
+		return literal.replace("'", "''");
+	}
+
+	private String inlineLiteral(String literal) {
+		return String.format( "\'%s\'", escapeLiteral( literal) );
+	}
+
 	@SuppressWarnings({ "unchecked" })
 	public String renderProjection(CriteriaQueryCompiler.RenderingContext renderingContext) {
+		if ( ValueHandlerFactory.isCharacter( literal ) ) {
+			// In case literal is a Character, pass literal.toString() as the argument.
+                        return inlineLiteral( literal.toString() );
+		}
+
 		// some drivers/servers do not like parameters in the select clause
 		final ValueHandlerFactory.ValueHandler handler =
 				ValueHandlerFactory.determineAppropriateHandler( literal.getClass() );
-		if ( ValueHandlerFactory.isCharacter( literal ) ) {
-			return '\'' + handler.render( literal ) + '\'';
-		}
-		else {
-			return handler.render( literal );
-		}
+		return handler.render( literal );
 	}
 
 	@Override
-- 
2.23.0