zhouxy108/hutool
1
0
Fork 0
mirror of https://gitee.com/chinabugotech/hutool.git synced 2025-07-21 15:09:48 +08:00
Code Issues Packages Projects Releases Wiki Activity

修复NumberUtil.toBigDecimal方法报StackOverflowError(CVE-2023-51080)

Browse Source
This commit is contained in:
Looly
2024-01-11 12:08:46 +08:00
parent 037d53794d
commit f341b9ed7a
5 changed files with 36 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hutool-core/src/main/java/org/dromara/hutool/core/math/NumberParser.java
View File

@@ -297,6 +297,7 @@ public class NumberParser {
// issue#I79VS7 // issue#I79VS7
numberStr = StrUtil.subSuf(numberStr, 1); numberStr = StrUtil.subSuf(numberStr, 1);
} }
try { try {
final NumberFormat format = NumberFormat.getInstance(locale); final NumberFormat format = NumberFormat.getInstance(locale);
if (format instanceof DecimalFormat) { if (format instanceof DecimalFormat) {

6
hutool-core/src/main/java/org/dromara/hutool/core/math/NumberUtil.java
View File

@@ -898,12 +898,12 @@ public class NumberUtil extends NumberValidator {
} }
// Float、Double等有精度问题转换为字符串后再转换 // Float、Double等有精度问题转换为字符串后再转换
return toBigDecimal(number.toString()); return new BigDecimal(number.toString());
} }
/** /**
* 数字转{@link BigDecimal}<br> * 数字转{@link BigDecimal}<br>
* null或""或空白符转换为0 * null或""或"NaN"或空白符转换为0
* *
* @param numberStr 数字字符串 * @param numberStr 数字字符串
* @return {@link BigDecimal} * @return {@link BigDecimal}
@@ -927,7 +927,7 @@ public class NumberUtil extends NumberValidator {
/** /**
* 数字转{@link BigInteger}<br> * 数字转{@link BigInteger}<br>
* null转换为0 * null或"NaN"转换为0
* *
* @param number 数字 * @param number 数字
* @return {@link BigInteger} * @return {@link BigInteger}

28
hutool-core/src/test/java/org/dromara/hutool/core/math/Issue3423Test.java Normal file
View File

@@ -0,0 +1,28 @@
package org.dromara.hutool.core.math;
import org.dromara.hutool.core.lang.Console;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;
import java.math.BigDecimal;
import java.text.DecimalFormat;
import java.text.NumberFormat;
import java.text.ParseException;
public class Issue3423Test {
@Test
public void toBigDecimalOfNaNTest() {
final BigDecimal naN = NumberUtil.toBigDecimal("NaN");
Assertions.assertEquals(BigDecimal.ZERO, naN);
}
@Test
@Disabled
public void toBigDecimalOfNaNTest2() throws ParseException {
final NumberFormat format = NumberFormat.getInstance();
((DecimalFormat) format).setParseBigDecimal(true);
final Number naN = format.parse("NaN");
Console.log(naN.getClass());
}
}

3
hutool-cron/src/main/java/org/dromara/hutool/cron/CronConfig.java
View File

@@ -31,6 +31,9 @@ public class CronConfig {
*/ */
protected boolean matchSecond; protected boolean matchSecond;
/**
* 构造
*/
public CronConfig(){ public CronConfig(){
} }

2
hutool-db/README.md
View File

@@ -28,7 +28,7 @@
### SQL相关工具sql ### SQL相关工具sql
提供SQL相关功能包括SQL变量替换NamedSql通过对象完成SQL构建SqlBuilder等。 提供SQL相关功能包括SQL变量替换NamedSql通过对象完成SQL构建SqlBuilder等。
`SqlSqlExecutor`提供SQL执行的静态方法。 `SqlExecutor`提供SQL执行的静态方法。
### 数据库元信息meta ### 数据库元信息meta
通过`MetaUtil`提供数据库表、字段等信息的读取操作。 通过`MetaUtil`提供数据库表、字段等信息的读取操作。