You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by tn...@apache.org on 2015/11/08 23:19:57 UTC
svn commit: r1713307 - in
/commons/proper/collections/branches/COLLECTIONS_3_2_X/src:
changes/changes.xml
java/org/apache/commons/collections/functors/InvokerTransformer.java
test/org/apache/commons/collections/functors/TestInvokerTransformer.java
Author: tn
Date: Sun Nov 8 22:19:57 2015
New Revision: 1713307
URL: http://svn.apache.org/viewvc?rev=1713307&view=rev
Log:
[COLLECTIONS-580] Proposed fix for remote code exploits by disabling de-serialization of InvokerTransformer by default.
Added:
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java (with props)
Modified:
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
Modified: commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml?rev=1713307&r1=1713306&r2=1713307&view=diff
==============================================================================
--- commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml (original)
+++ commons/proper/collections/branches/COLLECTIONS_3_2_X/src/changes/changes.xml Sun Nov 8 22:19:57 2015
@@ -23,6 +23,12 @@
<release version="3.2.2" date="20XX-XX-XX" description="This is a bugfix release.">
+ <action issue="COLLECTIONS-580" dev="tn" type="update">
+ De-serialization of "InvokerTransformer" is disabled by default as this
+ can be exploited for remote code execution attacks. To re-enable the
+ feature the system property "org.apache.commons.collections.invokertransformer.enableDeserialization"
+ needs to be set to "true".
+ </action>
<action issue="COLLECTIONS-538" dev="tn" type="fix" due-to="Trejkaz">
"ExtendedProperties" will now use a privileged action to access the
"file.separator" system property. In case the class does not have
Modified: commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
URL: http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/InvokerTransformer.java?rev=1713307&r1=1713306&r2=1713307&view=diff
==============================================================================
--- commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/InvokerTransformer.java (original)
+++ commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/InvokerTransformer.java Sun Nov 8 22:19:57 2015
@@ -16,9 +16,13 @@
*/
package org.apache.commons.collections.functors;
+import java.io.IOException;
+import java.io.ObjectInputStream;
import java.io.Serializable;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import org.apache.commons.collections.FunctorException;
import org.apache.commons.collections.Transformer;
@@ -35,7 +39,11 @@ public class InvokerTransformer implemen
/** The serial version */
private static final long serialVersionUID = -8653385846894047688L;
-
+
+ /** System property key to enable de-serialization */
+ public final static String DESERIALIZE
+ = "org.apache.commons.collections.invokertransformer.enableDeserialization";
+
/** The method name to call */
private final String iMethodName;
/** The array of reflection parameter types */
@@ -134,4 +142,28 @@ public class InvokerTransformer implemen
}
}
+ /**
+ * Overrides the default readObject implementation to prevent
+ * de-serialization (see COLLECTIONS-580).
+ */
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
+ String deserializeProperty;
+
+ try {
+ deserializeProperty =
+ (String) AccessController.doPrivileged(new PrivilegedAction() {
+ public Object run() {
+ return System.getProperty(DESERIALIZE);
+ }
+ });
+ } catch (SecurityException ex) {
+ deserializeProperty = null;
+ }
+
+ if (deserializeProperty == null || !deserializeProperty.equalsIgnoreCase("true")) {
+ throw new UnsupportedOperationException("Deserialization of InvokerTransformer is disabled, ");
+ }
+
+ is.defaultReadObject();
+ }
}
Added: commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java
URL: http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java?rev=1713307&view=auto
==============================================================================
--- commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java (added)
+++ commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java Sun Nov 8 22:19:57 2015
@@ -0,0 +1,77 @@
+package org.apache.commons.collections.functors;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+
+import org.apache.commons.collections.BulkTest;
+
+import junit.framework.Assert;
+import junit.framework.Test;
+import junit.framework.TestSuite;
+
+public class TestInvokerTransformer extends BulkTest {
+
+ // conventional
+ // ------------------------------------------------------------------------
+
+ public TestInvokerTransformer(String testName) {
+ super(testName);
+ }
+
+ public static Test suite() {
+ return new TestSuite(TestInvokerTransformer.class);
+ }
+
+ // ------------------------------------------------------------------------
+
+ public void testSerializationDisabled() throws Exception {
+ Assert.assertNull(System.getProperty(InvokerTransformer.DESERIALIZE));
+ InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+ byte[] data = serialize(transformer);
+ Assert.assertNotNull(data);
+ try {
+ deserialize(data);
+ fail("de-serialization of InvokerTransformer should be disabled by default");
+ } catch (UnsupportedOperationException ex) {
+ // expected
+ }
+ }
+
+ public void testSerializationEnabled() throws Exception {
+ Assert.assertNull(System.getProperty(InvokerTransformer.DESERIALIZE));
+ System.setProperty(InvokerTransformer.DESERIALIZE, "true");
+
+ InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+ byte[] data = serialize(transformer);
+ Assert.assertNotNull(data);
+ try {
+ Object obj = deserialize(data);
+ Assert.assertTrue(obj instanceof InvokerTransformer);
+ } catch (UnsupportedOperationException ex) {
+ fail("de-serialization of InvokerTransformer should be enabled");
+ }
+
+ System.clearProperty(InvokerTransformer.DESERIALIZE);
+ }
+
+ private byte[] serialize(InvokerTransformer transformer) throws IOException {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ ObjectOutputStream oos = new ObjectOutputStream(baos);
+
+ oos.writeObject(transformer);
+ oos.close();
+
+ return baos.toByteArray();
+ }
+
+ private Object deserialize(byte[] data) throws IOException, ClassNotFoundException {
+ ByteArrayInputStream bais = new ByteArrayInputStream(data);
+ ObjectInputStream iis = new ObjectInputStream(bais);
+
+ return iis.readObject();
+ }
+
+}
Propchange: commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java
------------------------------------------------------------------------------
svn:keywords = Id Revision HeadURL
Propchange: commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java
------------------------------------------------------------------------------
svn:mime-type = text/plain