1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
From: Markus Koschany <apo@debian.org>
Date: Sat, 27 Sep 2025 15:13:00 +0200
Subject: CVE-2024-23833
Origin: https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a
Debian-Bug: https://bugs.debian.org/1064192
---
.../refine/extension/database/DatabaseConfiguration.java | 7 +++++++
.../refine/extension/database/DatabaseConfigurationTest.java | 12 ++++++++++++
2 files changed, 19 insertions(+)
diff --git a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
index 3f0dd57..579ee00 100644
--- a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+++ b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
@@ -68,6 +68,13 @@ public class DatabaseConfiguration {
}
public void setDatabaseHost(String databaseServer) {
+ // forbid setting settings inside the host parameter:
+ // https://dev.mysql.com/doc/connector-j/en/connector-j-reference-jdbc-url-format.html
+ if (databaseServer == null ||
+ databaseServer.contains("(") ||
+ databaseServer.contains("=")) {
+ throw new IllegalArgumentException("Invalid host supplied");
+ }
this.databaseHost = databaseServer;
}
diff --git a/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
index 5a571e8..928aeac 100644
--- a/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+++ b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
@@ -1,5 +1,8 @@
package com.google.refine.extension.database;
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertThrows;
+
import org.testng.annotations.Test;
import static org.testng.Assert.assertEquals;
@@ -18,4 +21,13 @@ public class DatabaseConfigurationTest {
// the database name is escaped, preventing the exploit
assertEquals(url, "jdbc:mysql://my.host/test%3FallowLoadLocalInfile=true%23");
}
+
+ @Test
+ public void testSetMaliciousHost() {
+ DatabaseConfiguration config = new DatabaseConfiguration();
+ config.setDatabaseType("mysql");
+
+ assertThrows(IllegalArgumentException.class,
+ () -> config.setDatabaseHost("127.0.0.1:3306,(allowLoadLocalInfile=true,allowUrlInLocalInfile=true),127.0.0.1"));
+ }
}
|
