From 64a0cec764bfdd93c5e3d57e9fc342bcc9824ea3 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Fri, 19 Mar 2021 11:45:31 +0800
Subject: [PATCH] fix CVE-2019-14900

---
 .../expression/LiteralExpression.java         | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java
index ac485b4..6125363 100644
--- a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java
+++ b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/criteria/expression/LiteralExpression.java
@@ -58,17 +58,25 @@ public class LiteralExpression<T> extends ExpressionImpl<T> implements Serializa
 		return ':' + parameterName;
 	}
 
+	private String escapeLiteral(String literal) {
+		return literal.replace("'", "''");
+	}
+
+	private String inlineLiteral(String literal) {
+		return String.format( "\'%s\'", escapeLiteral( literal) );
+	}
+
 	@SuppressWarnings({ "unchecked" })
 	public String renderProjection(RenderingContext renderingContext) {
+		if ( ValueHandlerFactory.isCharacter( literal ) ) {
+			// In case literal is a Character, pass literal.toString() as the argument.
+			return inlineLiteral( literal.toString() );
+		}
+
 		// some drivers/servers do not like parameters in the select clause
 		final ValueHandlerFactory.ValueHandler handler =
 				ValueHandlerFactory.determineAppropriateHandler( literal.getClass() );
-		if ( ValueHandlerFactory.isCharacter( literal ) ) {
-			return '\'' + handler.render( literal ) + '\'';
-		}
-		else {
-			return handler.render( literal );
-		}
+		return handler.render( literal );
 	}
 
 	@Override
-- 
2.23.0