///
@@ -188,5 +188,15 @@ private static int GetAfterSelectInsertPoint(SqlString sql)
}
return 0;
}
+
+ ///
+ /// by default for SQL Anywhere,
+ /// .
+ protected override bool EscapeBackslashInStrings { get; set; } = true;
+
+ ///
+ /// by default for SQL Anywhere,
+ /// .
+ protected override bool UseNPrefixForUnicodeStrings => true;
}
}
diff --git a/src/NHibernate/Dialect/SybaseSQLAnywhere10Dialect.cs b/src/NHibernate/Dialect/SybaseSQLAnywhere10Dialect.cs
index 290e626671f..ac5aa44f8e0 100644
--- a/src/NHibernate/Dialect/SybaseSQLAnywhere10Dialect.cs
+++ b/src/NHibernate/Dialect/SybaseSQLAnywhere10Dialect.cs
@@ -969,5 +969,15 @@ public override IDataBaseSchema GetDataBaseSchema(DbConnection connection)
///
/// SQL Anywhere has a micro-second resolution.
public override long TimestampResolutionInTicks => 10L;
+
+ ///
+ /// by default for SQL Anywhere,
+ /// .
+ protected override bool EscapeBackslashInStrings { get; set; } = true;
+
+ ///
+ /// by default for SQL Anywhere,
+ /// .
+ protected override bool UseNPrefixForUnicodeStrings => true;
}
}
diff --git a/src/NHibernate/Type/AbstractCharType.cs b/src/NHibernate/Type/AbstractCharType.cs
index 5efb630c16c..d47e3c5b21c 100644
--- a/src/NHibernate/Type/AbstractCharType.cs
+++ b/src/NHibernate/Type/AbstractCharType.cs
@@ -51,9 +51,7 @@ public override void Set(DbCommand cmd, object value, int index, ISessionImpleme
}
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
- {
- return '\'' + value.ToString() + '\'';
- }
+ => dialect.ToStringLiteral(value.ToString(), SqlType);
// 6.0 TODO: rename "xml" parameter as "value": it is not a xml string. The fact it generally comes from a xml
// attribute value is irrelevant to the method behavior.
diff --git a/src/NHibernate/Type/AbstractDateTimeType.cs b/src/NHibernate/Type/AbstractDateTimeType.cs
index 8f95323cb78..07c32a7ba8a 100644
--- a/src/NHibernate/Type/AbstractDateTimeType.cs
+++ b/src/NHibernate/Type/AbstractDateTimeType.cs
@@ -176,7 +176,7 @@ public override object FromStringValue(string xml)
public override object DefaultValue => BaseDateValue;
///
- public override string ObjectToSQLString(object value, Dialect.Dialect dialect) =>
- "'" + (DateTime) value + "'";
+ public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
+ => dialect.ToStringLiteral(((DateTime) value).ToString(), SqlTypeFactory.GetAnsiString(50));
}
}
diff --git a/src/NHibernate/Type/AbstractStringType.cs b/src/NHibernate/Type/AbstractStringType.cs
index 9d47aaf07ff..72949c1093c 100644
--- a/src/NHibernate/Type/AbstractStringType.cs
+++ b/src/NHibernate/Type/AbstractStringType.cs
@@ -134,10 +134,9 @@ public object StringToObject(string xml)
#region ILiteralType Members
+ ///
public string ObjectToSQLString(object value, Dialect.Dialect dialect)
- {
- return "'" + (string)value + "'";
- }
+ => dialect.ToStringLiteral((string)value, SqlType);
#endregion
diff --git a/src/NHibernate/Type/ByteType.cs b/src/NHibernate/Type/ByteType.cs
index 7c90bd6738a..c780427b2ae 100644
--- a/src/NHibernate/Type/ByteType.cs
+++ b/src/NHibernate/Type/ByteType.cs
@@ -2,6 +2,7 @@
using System.Collections;
using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
@@ -54,7 +55,7 @@ public override string Name
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return value.ToString();
+ return ((byte)value).ToString(CultureInfo.InvariantCulture);
}
// 6.0 TODO: rename "xml" parameter as "value": it is not a xml string. The fact it generally comes from a xml
diff --git a/src/NHibernate/Type/CharBooleanType.cs b/src/NHibernate/Type/CharBooleanType.cs
index 9cde87c6697..c721640ef09 100644
--- a/src/NHibernate/Type/CharBooleanType.cs
+++ b/src/NHibernate/Type/CharBooleanType.cs
@@ -3,7 +3,6 @@
using System.Data.Common;
using NHibernate.Engine;
using NHibernate.SqlTypes;
-using NHibernate.Util;
namespace NHibernate.Type
{
@@ -57,9 +56,7 @@ private string ToCharacter(object value)
}
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
- {
- return "'" + ToCharacter(value) + "'";
- }
+ => dialect.ToStringLiteral(ToCharacter(value), SqlType);
// 6.0 TODO: rename "xml" parameter as "value": it is not a xml string. The fact it generally comes from a xml
// attribute value is irrelevant to the method behavior.
diff --git a/src/NHibernate/Type/DateTimeOffSetType.cs b/src/NHibernate/Type/DateTimeOffSetType.cs
index 37837aec289..78a9c80661b 100644
--- a/src/NHibernate/Type/DateTimeOffSetType.cs
+++ b/src/NHibernate/Type/DateTimeOffSetType.cs
@@ -155,8 +155,6 @@ public override object FromStringValue(string xml)
}
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
- {
- return "'" + ((DateTimeOffset) value) + "'";
- }
+ => dialect.ToStringLiteral(((DateTimeOffset) value).ToString(), SqlTypeFactory.GetAnsiString(50));
}
}
diff --git a/src/NHibernate/Type/DateType.cs b/src/NHibernate/Type/DateType.cs
index 76d3fbb99e9..1a3bac85c5c 100644
--- a/src/NHibernate/Type/DateType.cs
+++ b/src/NHibernate/Type/DateType.cs
@@ -93,8 +93,8 @@ public override string ToString(object val) =>
public override object DefaultValue => customBaseDate;
///
- public override string ObjectToSQLString(object value, Dialect.Dialect dialect) =>
- "\'" + ((DateTime)value).ToShortDateString() + "\'";
+ public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
+ => dialect.ToStringLiteral(((DateTime) value).ToShortDateString(), SqlTypeFactory.GetAnsiString(50));
// Since v5
[Obsolete("Its only parameter, BaseValue, is obsolete.")]
diff --git a/src/NHibernate/Type/DecimalType.cs b/src/NHibernate/Type/DecimalType.cs
index 158fa028fc7..df6f0b60f4a 100644
--- a/src/NHibernate/Type/DecimalType.cs
+++ b/src/NHibernate/Type/DecimalType.cs
@@ -1,6 +1,7 @@
using System;
using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
@@ -66,7 +67,7 @@ public override object FromStringValue(string xml)
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return value.ToString();
+ return ((decimal)value).ToString(CultureInfo.InvariantCulture);
}
// 6.0 TODO: rename "xml" parameter as "value": it is not a xml string. The fact it generally comes from a xml
diff --git a/src/NHibernate/Type/DoubleType.cs b/src/NHibernate/Type/DoubleType.cs
index 4a8cf3406a9..b7df9359bb9 100644
--- a/src/NHibernate/Type/DoubleType.cs
+++ b/src/NHibernate/Type/DoubleType.cs
@@ -1,6 +1,7 @@
using System;
using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
@@ -66,7 +67,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return value.ToString();
+ return ((double)value).ToString(CultureInfo.InvariantCulture);
}
}
}
diff --git a/src/NHibernate/Type/EnumCharType.cs b/src/NHibernate/Type/EnumCharType.cs
index ece3684ff6f..d73490ff19e 100644
--- a/src/NHibernate/Type/EnumCharType.cs
+++ b/src/NHibernate/Type/EnumCharType.cs
@@ -171,8 +171,6 @@ public override object FromStringValue(string xml)
}
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
- {
- return '\'' + GetValue(value).ToString() + '\'';
- }
+ => dialect.ToStringLiteral(GetValue(value).ToString(), SqlType);
}
}
diff --git a/src/NHibernate/Type/GuidType.cs b/src/NHibernate/Type/GuidType.cs
index a883f3a6b5a..70d26f1d950 100644
--- a/src/NHibernate/Type/GuidType.cs
+++ b/src/NHibernate/Type/GuidType.cs
@@ -88,7 +88,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return "'" + value + "'";
+ return dialect.ToStringLiteral(value.ToString(), SqlTypeFactory.GetAnsiString(50));
}
}
}
diff --git a/src/NHibernate/Type/Int16Type.cs b/src/NHibernate/Type/Int16Type.cs
index f517be93424..af018c60ab0 100644
--- a/src/NHibernate/Type/Int16Type.cs
+++ b/src/NHibernate/Type/Int16Type.cs
@@ -1,10 +1,11 @@
using System;
using System.Collections;
+using System.Collections.Generic;
+using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
-using System.Collections.Generic;
-using System.Data;
namespace NHibernate.Type
{
@@ -114,7 +115,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return value.ToString();
+ return ((short)value).ToString(CultureInfo.InvariantCulture);
}
}
}
diff --git a/src/NHibernate/Type/Int32Type.cs b/src/NHibernate/Type/Int32Type.cs
index 9602842ae3b..2ec84eecf19 100644
--- a/src/NHibernate/Type/Int32Type.cs
+++ b/src/NHibernate/Type/Int32Type.cs
@@ -1,10 +1,11 @@
using System;
using System.Collections;
+using System.Collections.Generic;
+using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
-using System.Collections.Generic;
-using System.Data;
namespace NHibernate.Type
{
@@ -114,7 +115,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return value.ToString();
+ return ((int)value).ToString(CultureInfo.InvariantCulture);
}
}
}
diff --git a/src/NHibernate/Type/Int64Type.cs b/src/NHibernate/Type/Int64Type.cs
index 5bad9a7513b..64a6cf37a63 100644
--- a/src/NHibernate/Type/Int64Type.cs
+++ b/src/NHibernate/Type/Int64Type.cs
@@ -3,6 +3,7 @@
using System.Collections.Generic;
using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
@@ -114,7 +115,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return value.ToString();
+ return ((long)value).ToString(CultureInfo.InvariantCulture);
}
}
}
diff --git a/src/NHibernate/Type/SByteType.cs b/src/NHibernate/Type/SByteType.cs
index 55021fb22a6..f3cbefa7503 100644
--- a/src/NHibernate/Type/SByteType.cs
+++ b/src/NHibernate/Type/SByteType.cs
@@ -3,6 +3,7 @@
using System.Collections.Generic;
using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
@@ -116,7 +117,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return value.ToString();
+ return ((sbyte)value).ToString(CultureInfo.InvariantCulture);
}
}
}
diff --git a/src/NHibernate/Type/SingleType.cs b/src/NHibernate/Type/SingleType.cs
index 70ca434e04d..4d299bb1c17 100644
--- a/src/NHibernate/Type/SingleType.cs
+++ b/src/NHibernate/Type/SingleType.cs
@@ -1,6 +1,7 @@
using System;
using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
@@ -91,7 +92,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return value.ToString();
+ return ((float)value).ToString(CultureInfo.InvariantCulture);
}
}
}
diff --git a/src/NHibernate/Type/TicksType.cs b/src/NHibernate/Type/TicksType.cs
index 4fc18a007cd..bc82d101df8 100644
--- a/src/NHibernate/Type/TicksType.cs
+++ b/src/NHibernate/Type/TicksType.cs
@@ -1,6 +1,7 @@
using System;
using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
@@ -100,7 +101,7 @@ public override object Seed(ISessionImplementor session)
///
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return '\'' + ((DateTime)value).Ticks.ToString() + '\'';
+ return '\'' + ((DateTime)value).Ticks.ToString(CultureInfo.InvariantCulture) + '\'';
}
}
}
diff --git a/src/NHibernate/Type/TimeAsTimeSpanType.cs b/src/NHibernate/Type/TimeAsTimeSpanType.cs
index e525ecfa555..fd7bd7058c7 100644
--- a/src/NHibernate/Type/TimeAsTimeSpanType.cs
+++ b/src/NHibernate/Type/TimeAsTimeSpanType.cs
@@ -1,10 +1,11 @@
using System;
using System.Collections;
+using System.Collections.Generic;
+using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
-using System.Collections.Generic;
-using System.Data;
namespace NHibernate.Type
{
@@ -141,7 +142,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return '\'' + ((TimeSpan)value).Ticks.ToString() + '\'';
+ return '\'' + ((TimeSpan)value).Ticks.ToString(CultureInfo.InvariantCulture) + '\'';
}
}
}
diff --git a/src/NHibernate/Type/TimeSpanType.cs b/src/NHibernate/Type/TimeSpanType.cs
index 5ca576454b9..1ce300af06b 100644
--- a/src/NHibernate/Type/TimeSpanType.cs
+++ b/src/NHibernate/Type/TimeSpanType.cs
@@ -1,10 +1,11 @@
using System;
using System.Collections;
+using System.Collections.Generic;
+using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
-using System.Collections.Generic;
-using System.Data;
namespace NHibernate.Type
{
@@ -128,7 +129,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return '\'' + ((TimeSpan)value).Ticks.ToString() + '\'';
+ return '\'' + ((TimeSpan)value).Ticks.ToString(CultureInfo.InvariantCulture) + '\'';
}
}
}
diff --git a/src/NHibernate/Type/TimeType.cs b/src/NHibernate/Type/TimeType.cs
index be487f81cff..b808619ae70 100644
--- a/src/NHibernate/Type/TimeType.cs
+++ b/src/NHibernate/Type/TimeType.cs
@@ -171,8 +171,6 @@ public override object DefaultValue
}
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
- {
- return "'" + ((DateTime)value).ToShortTimeString() + "'";
- }
+ => dialect.ToStringLiteral(((DateTime) value).ToShortTimeString(), SqlTypeFactory.GetAnsiString(50));
}
}
diff --git a/src/NHibernate/Type/UInt16Type.cs b/src/NHibernate/Type/UInt16Type.cs
index 10e9d15cd9b..90421392d8f 100644
--- a/src/NHibernate/Type/UInt16Type.cs
+++ b/src/NHibernate/Type/UInt16Type.cs
@@ -3,6 +3,7 @@
using System.Collections.Generic;
using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
@@ -114,7 +115,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return value.ToString();
+ return ((ushort)value).ToString(CultureInfo.InvariantCulture);
}
}
}
diff --git a/src/NHibernate/Type/UInt32Type.cs b/src/NHibernate/Type/UInt32Type.cs
index 0590278ef68..897dca99a19 100644
--- a/src/NHibernate/Type/UInt32Type.cs
+++ b/src/NHibernate/Type/UInt32Type.cs
@@ -3,6 +3,7 @@
using System.Collections.Generic;
using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
@@ -114,7 +115,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return value.ToString();
+ return ((uint)value).ToString(CultureInfo.InvariantCulture);
}
}
}
diff --git a/src/NHibernate/Type/UInt64Type.cs b/src/NHibernate/Type/UInt64Type.cs
index a902b6d46fe..5665a1077d1 100644
--- a/src/NHibernate/Type/UInt64Type.cs
+++ b/src/NHibernate/Type/UInt64Type.cs
@@ -3,6 +3,7 @@
using System.Collections.Generic;
using System.Data;
using System.Data.Common;
+using System.Globalization;
using NHibernate.Engine;
using NHibernate.SqlTypes;
@@ -113,7 +114,7 @@ public override object DefaultValue
public override string ObjectToSQLString(object value, Dialect.Dialect dialect)
{
- return value.ToString();
+ return ((ulong)value).ToString(CultureInfo.InvariantCulture);
}
}
}
diff --git a/src/NHibernate/Type/UriType.cs b/src/NHibernate/Type/UriType.cs
index 68f319606d3..100c3704a35 100644
--- a/src/NHibernate/Type/UriType.cs
+++ b/src/NHibernate/Type/UriType.cs
@@ -84,9 +84,7 @@ public override object FromStringValue(string xml)
}
public string ObjectToSQLString(object value, Dialect.Dialect dialect)
- {
- return "'" + ((Uri)value).OriginalString + "'";
- }
+ => dialect.ToStringLiteral(((Uri) value).OriginalString, SqlType);
///
public override object Assemble(object cached, ISessionImplementor session, object owner)
diff --git a/src/NHibernate/nhibernate-configuration.xsd b/src/NHibernate/nhibernate-configuration.xsd
index 08d922ad963..123b2c35e60 100644
--- a/src/NHibernate/nhibernate-configuration.xsd
+++ b/src/NHibernate/nhibernate-configuration.xsd
@@ -176,6 +176,14 @@
+
+
+
+ Indicates if the database needs to have backslash escaped in string literals. The default is
+ dialect dependent.
+
+
+
From ac2ff3a0d0f3ef7385410f1d93f8dde63f2e1475 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Delaporte?=
<12201973+fredericDelaporte@users.noreply.github.com>
Date: Thu, 4 Jul 2024 13:58:33 +0200
Subject: [PATCH 6/6] Release 5.4.9 (#3576)
---
build-common/NHibernate.props | 2 +-
releasenotes.txt | 22 +++++++++++++++++++++-
2 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/build-common/NHibernate.props b/build-common/NHibernate.props
index 3c2d1bdc620..a04cab397a3 100644
--- a/build-common/NHibernate.props
+++ b/build-common/NHibernate.props
@@ -3,7 +3,7 @@
5.4
- 8
+ 9
9.0
diff --git a/releasenotes.txt b/releasenotes.txt
index 2351054af6c..56edaa06765 100644
--- a/releasenotes.txt
+++ b/releasenotes.txt
@@ -1,4 +1,24 @@
-Build 5.4.8
+Build 5.4.9
+=============================
+
+Release notes - NHibernate - Version 5.4.9
+
+6 issues were resolved in this release, including CVE-2024-39677.
+
+** Bug
+
+ * #3547 Handle SQL injection vulnerabilities within ObjectToSQLString
+
+** Task
+
+ * #3576 Release 5.4.9
+ * #3558 Migrate AppVeyor & TC builds to PostgreSQL 13
+ * #3545 Upgrade Npgsql to a non vulnerable version
+ * #3544 Upgrade vulnerable test dependencies
+ * #3517 Obsolete vulnerable literal AddColumn
+
+
+Build 5.4.8
=============================
Release notes - NHibernate - Version 5.4.8