Fix for Bug#30636056, ResultSetUtil.resultSetToMap() can be unsafe to use.

fjssilva · fjssilva · commit 13f06c38fb68 · 2020-01-14T17:56:41.000Z
diff --git a/src/com/mysql/jdbc/CallableStatement.java b/src/com/mysql/jdbc/CallableStatement.java
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -179,7 +179,6 @@ protected class CallableStatementParamInfo implements ParameterMetaData {
             this.numParameters = this.parameterList.size();
         }
 
-        @SuppressWarnings("synthetic-access")
         CallableStatementParamInfo(java.sql.ResultSet paramTypesRs) throws SQLException {
             boolean hadRows = paramTypesRs.last();
 
diff --git a/src/com/mysql/jdbc/Util.java b/src/com/mysql/jdbc/Util.java
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -23,7 +23,6 @@
 
 package com.mysql.jdbc;
 
-import java.io.ObjectInputStream;
 import java.io.PrintWriter;
 import java.io.StringWriter;
 import java.io.UnsupportedEncodingException;
@@ -297,27 +296,6 @@ private static RandStructcture randomInit(long seed1, long seed2) {
         return randStruct;
     }
 
-    /**
-     * Given a ResultSet and an index into the columns of that ResultSet, read
-     * binary data from the column which represents a serialized object, and
-     * re-create the object.
-     * 
-     * @param resultSet
-     *            the ResultSet to use.
-     * @param index
-     *            an index into the ResultSet.
-     * @return the object if it can be de-serialized
-     * @throws Exception
-     *             if an error occurs
-     */
-    public static Object readObject(java.sql.ResultSet resultSet, int index) throws Exception {
-        ObjectInputStream objIn = new ObjectInputStream(resultSet.getBinaryStream(index));
-        Object obj = objIn.readObject();
-        objIn.close();
-
-        return obj;
-    }
-
     private static double rnd(RandStructcture randStruct) {
         randStruct.seed1 = ((randStruct.seed1 * 3) + randStruct.seed2) % randStruct.maxValue;
         randStruct.seed2 = (randStruct.seed1 + randStruct.seed2 + 33) % randStruct.maxValue;
@@ -461,27 +439,6 @@ public static boolean interfaceExists(String hostname) {
         }
     }
 
-    @SuppressWarnings({ "rawtypes", "unchecked" })
-    public static void resultSetToMap(Map mappedValues, java.sql.ResultSet rs) throws SQLException {
-        while (rs.next()) {
-            mappedValues.put(rs.getObject(1), rs.getObject(2));
-        }
-    }
-
-    @SuppressWarnings({ "rawtypes", "unchecked" })
-    public static void resultSetToMap(Map mappedValues, java.sql.ResultSet rs, int key, int value) throws SQLException {
-        while (rs.next()) {
-            mappedValues.put(rs.getObject(key), rs.getObject(value));
-        }
-    }
-
-    @SuppressWarnings({ "rawtypes", "unchecked" })
-    public static void resultSetToMap(Map mappedValues, java.sql.ResultSet rs, String key, String value) throws SQLException {
-        while (rs.next()) {
-            mappedValues.put(rs.getObject(key), rs.getObject(value));
-        }
-    }
-
     public static Map<Object, Object> calculateDifferences(Map<?, ?> map1, Map<?, ?> map2) {
         Map<Object, Object> diffMap = new HashMap<Object, Object>();
 
diff --git a/src/com/mysql/jdbc/interceptors/ServerStatusDiffInterceptor.java b/src/com/mysql/jdbc/interceptors/ServerStatusDiffInterceptor.java
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2007, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -63,15 +63,15 @@ private void populateMapWithSessionStatusValues(Connection connection, Map<Strin
 
         try {
             toPopulate.clear();
-
             stmt = connection.createStatement();
             rs = stmt.executeQuery("SHOW SESSION STATUS");
-            Util.resultSetToMap(toPopulate, rs);
+            while (rs.next()) {
+                toPopulate.put(rs.getString(1), rs.getString(2));
+            }
         } finally {
             if (rs != null) {
                 rs.close();
             }
-
             if (stmt != null) {
                 stmt.close();
             }
