Metabase 远程代码执行漏洞分析 & 一种补丁绕过方法 CVE-2023-38646

(defn- connection-string-set-safe-options  "Add Metabase Security Settings™ to this `connection-string` (i.e. try to keep shady users from writing nasty SQL)."  [connection-string]  {:pre [(string? connection-string)]}  (let [
下载地址
 (connection-string->file+options connection-string)]    (file+options->connection-string file (merge                                           (->> options;; Remove INIT=... from options for security reasons (Metaboat #165);; http://h2database.com/html/features.html#execute_sql_on_connection                                                (remove (fn [[k _]] (= (u/lower-case-en k) "init")))                                                (into {}))                                           {"IFEXISTS" "TRUE"}))))

private void readSettingsFromURL() {     DbSettings var1 = DbSettings.getDefaultSettings();     int var2 = this.url.indexOf(59);     if (var2 >= 0) {        String var3 = this.url.substring(var2 + 1);        this.url = this.url.substring(0, var2);        String[] var4 = StringUtils.arraySplit(var3, ';', false);        String[] var5 = var4;        int var6 = var4.length;
        for(int var7 = 0; var7 < var6; ++var7) {           String var8 = var5[var7];           if (!var8.isEmpty()) {              int var9 = var8.indexOf(61);              if (var9 < 0) {                 throw this.getFormatException();              }
              String var10 = var8.substring(var9 + 1);              String var11 = var8.substring(0, var9);              var11 = StringUtils.toUpperEnglish(var11);              if (!isKnownSetting(var11) && !var1.containsKey(var11)) {                 throw DbException.get(90113, var11);              }
              String var12 = this.prop.getProperty(var11);              if (var12 != null && !var12.equals(var10)) {                 throw DbException.get(90066, var11);              }
              this.prop.setProperty(var11, var10);           }        }     }
  }