You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ch...@apache.org on 2017/07/11 17:56:07 UTC
[37/50] commons-collections git commit: [COLLECTIONS-580] Add fix for
PrototypeFactory as well.
[COLLECTIONS-580] Add fix for PrototypeFactory as well.
git-svn-id: https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X@1713849 13f79535-47bb-0310-9956-ffa450edef68
Project: http://git-wip-us.apache.org/repos/asf/commons-collections/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-collections/commit/d9a00134
Tree: http://git-wip-us.apache.org/repos/asf/commons-collections/tree/d9a00134
Diff: http://git-wip-us.apache.org/repos/asf/commons-collections/diff/d9a00134
Branch: refs/heads/COLLECTIONS_3_2_X
Commit: d9a00134f16d685bea11b2b12de824845e6473e3
Parents: bce4d02
Author: Thomas Neidhart <tn...@apache.org>
Authored: Wed Nov 11 14:21:37 2015 +0000
Committer: Thomas Neidhart <tn...@apache.org>
Committed: Wed Nov 11 14:21:37 2015 +0000
----------------------------------------------------------------------
.../collections/functors/PrototypeFactory.java | 46 ++++++++++++++++++
.../commons/collections/functors/package.html | 2 +
.../commons/collections/functors/TestAll.java | 1 +
.../functors/TestPrototypeFactory.java | 49 ++++++++++++++++++++
4 files changed, 98 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/commons-collections/blob/d9a00134/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
index 5ba69eb..e28efb2 100644
--- a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
+++ b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
@@ -49,6 +49,16 @@ public class PrototypeFactory {
* <li>public copy constructor
* <li>serialization clone
* <ul>
+ * <p>
+ * <b>WARNING:</b> from v3.2.2 onwards this method will return a {@code Factory}
+ * that will throw an {@link UnsupportedOperationException} when trying to serialize
+ * or de-serialize it to prevent potential remote code execution exploits.
+ * <p>
+ * In order to re-enable serialization support the following system property
+ * can be used (via -Dproperty=true):
+ * <pre>
+ * org.apache.commons.collections.enableUnsafeSerialization
+ * </pre>
*
* @param prototype the object to clone each time in the factory
* @return the <code>prototype</code> factory
@@ -144,6 +154,24 @@ public class PrototypeFactory {
throw new FunctorException("PrototypeCloneFactory: Clone method threw an exception", ex);
}
}
+
+ /**
+ * Overrides the default writeObject implementation to prevent
+ * serialization (see COLLECTIONS-580).
+ */
+ private void writeObject(ObjectOutputStream os) throws IOException {
+ FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
+ os.defaultWriteObject();
+ }
+
+ /**
+ * Overrides the default readObject implementation to prevent
+ * de-serialization (see COLLECTIONS-580).
+ */
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
+ FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
+ is.defaultReadObject();
+ }
}
// PrototypeSerializationFactory
@@ -204,6 +232,24 @@ public class PrototypeFactory {
}
}
}
+
+ /**
+ * Overrides the default writeObject implementation to prevent
+ * serialization (see COLLECTIONS-580).
+ */
+ private void writeObject(ObjectOutputStream os) throws IOException {
+ FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
+ os.defaultWriteObject();
+ }
+
+ /**
+ * Overrides the default readObject implementation to prevent
+ * de-serialization (see COLLECTIONS-580).
+ */
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
+ FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
+ is.defaultReadObject();
+ }
}
}
http://git-wip-us.apache.org/repos/asf/commons-collections/blob/d9a00134/src/java/org/apache/commons/collections/functors/package.html
----------------------------------------------------------------------
diff --git a/src/java/org/apache/commons/collections/functors/package.html b/src/java/org/apache/commons/collections/functors/package.html
index d73ee62..d678ddd 100644
--- a/src/java/org/apache/commons/collections/functors/package.html
+++ b/src/java/org/apache/commons/collections/functors/package.html
@@ -38,6 +38,8 @@ Classes considered to be unsafe are:
<li>InstantiateFactory</li>
<li>InstantiateTransformer</li>
<li>InvokerTransformer</li>
+ <li>PrototypeFactory$PrototypeCloneFactory</li>
+ <li>PrototypeFactory$PrototypeSerializationFactory</li>
<li>WhileClosure</li>
</ul>
<p>
http://git-wip-us.apache.org/repos/asf/commons-collections/blob/d9a00134/src/test/org/apache/commons/collections/functors/TestAll.java
----------------------------------------------------------------------
diff --git a/src/test/org/apache/commons/collections/functors/TestAll.java b/src/test/org/apache/commons/collections/functors/TestAll.java
index 5337628..14bcf7a 100644
--- a/src/test/org/apache/commons/collections/functors/TestAll.java
+++ b/src/test/org/apache/commons/collections/functors/TestAll.java
@@ -36,6 +36,7 @@ public class TestAll extends TestCase {
suite.addTest(TestInstantiateTransformer.suite());
suite.addTest(TestInstantiateFactory.suite());
suite.addTest(TestInvokerTransformer.suite());
+ suite.addTest(TestPrototypeFactory.suite());
suite.addTest(TestWhileClosure.suite());
return suite;
}
http://git-wip-us.apache.org/repos/asf/commons-collections/blob/d9a00134/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java
----------------------------------------------------------------------
diff --git a/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java b/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java
new file mode 100644
index 0000000..1ac51e4
--- /dev/null
+++ b/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.collections.functors;
+
+import java.util.ArrayList;
+
+import org.apache.commons.collections.Factory;
+
+import junit.framework.Test;
+import junit.framework.TestSuite;
+
+public class TestPrototypeFactory extends AbstractTestSerialization {
+
+ // conventional
+ // ------------------------------------------------------------------------
+
+ public TestPrototypeFactory(String testName) {
+ super(testName);
+ }
+
+ public static Test suite() {
+ return new TestSuite(TestPrototypeFactory.class);
+ }
+
+ // ------------------------------------------------------------------------
+
+ public Object makeObject() {
+ return PrototypeFactory.getInstance(new ArrayList());
+ }
+
+ public Class getTestClass() {
+ return Factory.class;
+ }
+
+}