You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/03/30 10:39:06 UTC
[ofbiz-framework] branch release18.12 updated: Improved: Improve
UtilObject class (OFBIZ-12216)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 0f82c26 Improved: Improve UtilObject class (OFBIZ-12216)
0f82c26 is described below
commit 0f82c2679fcad6297948e49c4e7d7a26fc08e777
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Tue Mar 30 09:25:33 2021 +0200
Improved: Improve UtilObject class (OFBIZ-12216)
This removes the inoffensive but annoying message in log (which does not show in
trunk, see https://github.com/apache/ofbiz-framework/commit/27c9180/
Not the same as in trunk, simply handling with exception Rather than returning
null, also shorten java.rmi.server to java.rmi to block more cases
---
.../org/apache/ofbiz/base/util/SafeObjectInputStream.java | 11 ++++-------
.../src/main/java/org/apache/ofbiz/base/util/UtilObject.java | 9 ++++-----
2 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index a24e027..5dc785a 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -24,6 +24,7 @@ import static org.apache.ofbiz.base.util.UtilProperties.getPropertyValue;
import java.io.IOException;
import java.io.InputStream;
+import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.Arrays;
@@ -65,17 +66,13 @@ public final class SafeObjectInputStream extends ObjectInputStream {
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
String className = classDesc.getName();
// BlackList exploits; eg: don't allow RMI here
- if (className.contains("java.rmi.server")) {
- Debug.logWarning("***Incompatible class***: "
- + classDesc.getName()
- + ". java.rmi.server classes are not allowed for security reason",
- "SafeObjectInputStream");
- return null;
+ if (className.contains("java.rmi")) {
+ throw new InvalidClassException(className, "Unauthorized deserialisation attempt");
}
if (!whitelistPattern.matcher(className).find()) {
// DiskFileItem, FileItemHeadersImpl are not serializable.
if (className.contains("org.apache.commons.fileupload")) {
- return null;
+ throw new ClassNotFoundException("DiskFileItem and FileItemHeadersImpl are not serializable.");
}
Debug.logWarning("***Incompatible class***: "
+ classDesc.getName()
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
index e194a2c..e1908a8 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
@@ -93,12 +93,11 @@ public final class UtilObject {
Object obj = null;
try {
obj = getObjectException(bytes);
- // DiskFileItem, FileItemHeadersImpl are not serializable. So SafeObjectInputStream::resolveClass return null
- if (obj == null) {
- return null;
- }
- } catch (ClassNotFoundException | IOException e) {
+ } catch (IOException e) {
Debug.logError(e, module);
+ } catch (ClassNotFoundException e1) {
+ // DiskFileItem, FileItemHeadersImpl are not serializable. So SafeObjectInputStream::resolveClass return ClassNotFoundException
+ return null;
}
return obj;
}