You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/05/02 10:50:26 UTC
[ofbiz-framework] 02/03: Improved: Improve ObjectInputStream class
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 27c91802fcd83ef8b466d189fe8a7cbad22cc8e3
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat May 2 12:32:07 2020 +0200
Improved: Improve ObjectInputStream class
(OFBIZ-10837)
While working on OFBIZ-11633 I crossed an issue in R18 (not in trunk) where
objects from org.apache.commons.fileupload (namely DiskFileItem and
FileItemHeadersImpl) are not serializable.
While at it I decided to handle at the SafeObjectInputStream level
the "fileItems" case I already crossed with, OFBIZ-11534, in RequestHandler
It has an inconvenient in R18 (not in trunk) where ObjectInputStream can't
handle a null class (of course) and so return a benign exception in log (only).
I believe it's better to handle these specific cases at the lower possible
level in all supported branches.
---
.../main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java | 4 ++++
.../base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java | 4 ++++
.../src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java | 4 ----
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index 2aebcde..d50cfbf 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -64,6 +64,10 @@ public final class SafeObjectInputStream extends ObjectInputStream {
@Override
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
if (!whitelistPattern.matcher(classDesc.getName()).find()) {
+ // DiskFileItem, FileItemHeadersImpl are not serializable.
+ if (classDesc.getName().contains("org.apache.commons.fileupload")) {
+ return null;
+ }
Debug.logWarning("***Incompatible class***: "
+ classDesc.getName()
+ ". Please see OFBIZ-10837. Report to dev ML if you use OFBiz without changes. "
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
index eb7666a..e194a2c 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
@@ -93,6 +93,10 @@ public final class UtilObject {
Object obj = null;
try {
obj = getObjectException(bytes);
+ // DiskFileItem, FileItemHeadersImpl are not serializable. So SafeObjectInputStream::resolveClass return null
+ if (obj == null) {
+ return null;
+ }
} catch (ClassNotFoundException | IOException e) {
Debug.logError(e, module);
}
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index f239f20..52fa77f 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -835,10 +835,6 @@ public class RequestHandler {
}
}
if (reqAttrMap.size() > 0) {
- // fileItems is not serializable.
- // It contains a temporary DiskFileItem with a null value than can't be detected by UtilMisc::makeMapSerializable
- // So it must be removed from reqAttrMap. See OFBIZ-11534
- reqAttrMap.remove("fileItems");
byte[] reqAttrMapBytes = UtilObject.getBytes(reqAttrMap);
if (reqAttrMapBytes != null) {
req.getSession().setAttribute("_REQ_ATTR_MAP_", StringUtil.toHexString(reqAttrMapBytes));