From e0e22ea256c1906235d6a8e90b79c4ce33d0861f Mon Sep 17 00:00:00 2001
From: Gail Badner <gbadner@redhat.com>
Date: Thu, 18 Jun 2020 12:13:22 -0700
Subject: [PATCH] HHH-14077 : CVE-2019-14900 SQL injection issue using JPA
 Criteria API

---
 .../criteria/internal/expression/LiteralExpression.java  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/hibernate-core/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java b/hibernate-core/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java
index e7639a1dff..4c5a19a03d 100644
--- a/hibernate-core/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java
+++ b/hibernate-core/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java
@@ -110,6 +110,11 @@ public class LiteralExpression<T> extends ExpressionImpl<T> implements Serializa
 	}
 
 	private String renderProjection(RenderingContext renderingContext) {
+		if ( ValueHandlerFactory.isCharacter( literal ) ) {
+			// In case literal is a Character, pass literal.toString() as the argument.
+			return renderingContext.getDialect().inlineLiteral( literal.toString() );
+		}
+
 		// some drivers/servers do not like parameters in the select clause
 		final ValueHandlerFactory.ValueHandler handler =
 				ValueHandlerFactory.determineAppropriateHandler( literal.getClass() );
@@ -117,10 +122,6 @@ public class LiteralExpression<T> extends ExpressionImpl<T> implements Serializa
 		if ( handler == null ) {
 			return normalRender( renderingContext, LiteralHandlingMode.BIND );
 		}
-
-		if ( ValueHandlerFactory.isCharacter( literal ) ) {
-			return renderingContext.getDialect().inlineLiteral( handler.render( literal ) );
-		}
 		else {
 			return handler.render( literal );
 		}