From 9895e145f77a292432ed2f0e9d66fe2e2f0b565d Mon Sep 17 00:00:00 2001 From: Alan Davis Date: Thu, 18 Sep 2014 17:20:08 +0000 Subject: [PATCH] Merged HEAD-BUG-FIX (5.0/Cloud) to HEAD (5.0/Cloud) 84017: Merged V4.2-BUG-FIX (4.2.4) to HEAD-BUG-FIX (5.0/Cloud) 82509: Merged V4.1-BUG-FIX (4.1.10) to V4.2-BUG-FIX (4.2.4) 82351: MNT-12272: Merged DEV to V4.1-BUG-FIX (4.1.10) 82330: MNT-12272: Possible sql injection in /api/workflow-instances - Set exluded definitions for query using parameter binding git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@84613 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- source/java/org/alfresco/repo/workflow/jbpm/JBPMEngine.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source/java/org/alfresco/repo/workflow/jbpm/JBPMEngine.java b/source/java/org/alfresco/repo/workflow/jbpm/JBPMEngine.java index f093b43264..809d2736e8 100644 --- a/source/java/org/alfresco/repo/workflow/jbpm/JBPMEngine.java +++ b/source/java/org/alfresco/repo/workflow/jbpm/JBPMEngine.java @@ -941,11 +941,15 @@ public class JBPMEngine extends AlfrescoBpmEngine implements WorkflowEngine { processSelect.append(" join process.processDefinition as definition"); } + int exDefNum = 0; for (String exDef : exludedDefs) { + exDefNum++; + String varExDef = "varExDef" + exDefNum; exDef = BPMEngineRegistry.getLocalId(exDef); exDef = exDef.replaceAll("\\*", "%"); - processWhere.append(" and definition.name not like '").append(exDef).append("'"); + processWhere.append(" and definition.name not like :").append(varExDef); + processMap.put(varExDef, exDef); } }