You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/04/21 08:02:25 UTC
[ofbiz-framework] branch release18.12 updated: Improved: Prevent possible DOS attack done using Java deserialisation (OFBIZ-12592)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new b7b2d1fd6f Improved: Prevent possible DOS attack done using Java deserialisation (OFBIZ-12592)
b7b2d1fd6f is described below
commit b7b2d1fd6fa56305713d75b60a925bc245104a38
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Thu Apr 21 05:59:48 2022 +0200
Improved: Prevent possible DOS attack done using Java deserialisation (OFBIZ-12592)
The previous commit was twice wrong:
1. System properties in gradle.properties are not defined using -D but using
systemProp.
2. Anyway systemProp. is defining system properties only available in JVM where
Gradle is running, not the application you run. For that you need to use
applicationDefaultJvmArgs in application in the main build.gradle.
Here is the system property for jdk.serialFilter
Conflicts handled by hand in build.gradle
---
build.gradle | 10 ++++++----
gradle.properties | 2 --
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/build.gradle b/build.gradle
index 6a64bdc141..971975758b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -37,6 +37,7 @@ buildscript {
classpath 'org.asciidoctor:asciidoctorj-pdf:1.5.0-alpha.16'
}
}
+apply plugin: 'application'
apply plugin: 'java'
apply plugin: 'groovy'
apply plugin: 'eclipse'
@@ -51,10 +52,11 @@ apply from: 'common.gradle'
ext.os = System.getProperty('os.name').toLowerCase()
ext.pluginsDir = "${rootDir}/plugins"
-// java settings
-List jvmArguments = ['-Xms128M', '-Xmx1024M']
-if (project.hasProperty('jvmArgs')) {
- jvmArguments = jvmArgs.tokenize()
+application {
+ // jdk.serialFilter is to "Prevent possible DOS attack done using Java deserialisation" (OFBIZ-12592)
+ applicationDefaultJvmArgs = project.hasProperty('jvmArgs')
+ ? jvmArgs.tokenize()
+ : ['-Xms128M','-Xmx1024M','-Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000']
}
ext.ofbizMainClass = 'org.apache.ofbiz.base.start.Start'
diff --git a/gradle.properties b/gradle.properties
index 39ea90a1b2..dbb3a5708b 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -21,5 +21,3 @@ org.gradle.console=plain
# If you experience heap memory problems during the Gradle build, for example
# building with integrated plugins, the following setting might help
#org.gradle.jvmargs=-Xms128m -Xmx1024m -XX:+CMSClassUnloadingEnabled
-# This is for "Prevent possible DOS attack done using Java deserialisation" (OFBIZ-12592)
--Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000