Merged HEAD-BUG-FIX (5.0/Cloud) to HEAD (5.0/Cloud)

84017: Merged V4.2-BUG-FIX (4.2.4) to HEAD-BUG-FIX (5.0/Cloud) 82509: Merged V4.1-BUG-FIX (4.1.10) to V4.2-BUG-FIX (4.2.4) 82351: MNT-12272: Merged DEV to V4.1-BUG-FIX (4.1.10) 82330: MNT-12272: Possible sql injection in /api/workflow-instances - Set exluded definitions for query using parameter binding git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@84613 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2014-09-18 17:20:08 +00:00
parent f422aaf88e
commit 9895e145f7
1 changed files with 5 additions and 1 deletions
--- a/source/java/org/alfresco/repo/workflow/jbpm/JBPMEngine.java
+++ b/source/java/org/alfresco/repo/workflow/jbpm/JBPMEngine.java
@@ -941,11 +941,15 @@ public class JBPMEngine extends AlfrescoBpmEngine implements WorkflowEngine
                    {
                        processSelect.append(" join process.processDefinition as definition");
                    }
+                    int exDefNum = 0;
                    for (String exDef : exludedDefs)
                    {
+                        exDefNum++;
+                        String varExDef = "varExDef" + exDefNum;
                        exDef = BPMEngineRegistry.getLocalId(exDef);
                        exDef = exDef.replaceAll("\\*", "%");
-                        processWhere.append(" and definition.name not like '").append(exDef).append("'");
+                        processWhere.append(" and definition.name not like :").append(varExDef);
+                        processMap.put(varExDef, exDef);
                    }
                }