You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/02/24 10:31:13 UTC
[ofbiz-framework] branch trunk updated: Fixed: Improve
ObjectInputStream class (CVE-2019-0189) Improved: no functional change
(OFBIZ-10837) (OFBIZ-11398)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 0e7d319 Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)
0e7d319 is described below
commit 0e7d31912b26a06d213fd5fb8739eacf02acfa79
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Feb 24 11:00:34 2020 +0100
Fixed: Improve ObjectInputStream class (CVE-2019-0189)
Improved: no functional change
(OFBIZ-10837) (OFBIZ-11398)
Steps to generate:
1. Navigate to - catalog/control/EditProdCatalog?prodCatalogId=TestCatalog
2. Click on - CREATE SEO CATEGORY/PRODUCTS
3. The broken page will be displayed
The issue is due to the use of a GString in
createMissingCategoryAndProductAltUrls().
This:
result.successMessageList = [
"Categories updated: ${categoriesUpdated}",
"Products updated: ${productsUpdated}"
As it's common to use such expressions I have added the necessary
org.codehaus.groovy.runtime.GStringImpl groovy.lang.GString
to the white list of classes in listOfSafeObjectsForInputStream in
SafeObjectInputStream.properties
I finally have also decided to use this property as default and commented for
committers to be aware that it should be also put in DEFAULT_WHITELIST_PATTERN
in SafeObjectInputStream class. Because if, for a reason,
listOfSafeObjectsForInputStream is empty OFBiz will still be protected
Thanks: Dikpal Kanungo for reporting
---
framework/base/config/SafeObjectInputStream.properties | 6 ++++--
.../main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java | 5 +++--
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/framework/base/config/SafeObjectInputStream.properties b/framework/base/config/SafeObjectInputStream.properties
index bdc5b4a..548eab7 100644
--- a/framework/base/config/SafeObjectInputStream.properties
+++ b/framework/base/config/SafeObjectInputStream.properties
@@ -21,7 +21,9 @@
# If you encounter a related issue (object not in the whitelist),
# you must provide a complete list of objects to pass to ObjectInputStream
# through ListOfSafeObjectsForInputStream property
-# As an example, the a complete list of objects used by OFBiz OOTB is commented out by default here.
+# As an example, the a complete list of objects used by OFBiz OOTB is here.
# You will need to add your objects/classes to this list.
+# OFBiz committers: don't forget to add newobjects in SafeObjectInputStream class too (as default there).
-#listOfSafeObjectsForInputStream=byte\\\\[\\\\], foo, SerializationInjector, \\\\[Z,\\\\[B,\\\\[S,\\\\[I,\\\\[J,\\\\[F,\\\\[D,\\\\[C, java..*, sun.util.calendar..*, org.apache.ofbiz..*
+
+listOfSafeObjectsForInputStream=byte\\\\[\\\\], foo, SerializationInjector, \\\\[Z,\\\\[B,\\\\[S,\\\\[I,\\\\[J,\\\\[F,\\\\[D,\\\\[C, java..*, sun.util.calendar..*, org.apache.ofbiz..*, org.codehaus.groovy.runtime.GStringImpl, groovy.lang.GString
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index b26093b..2aebcde 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -39,7 +39,8 @@ public final class SafeObjectInputStream extends ObjectInputStream {
private static final String[] DEFAULT_WHITELIST_PATTERN = {
"byte\\[\\]", "foo", "SerializationInjector",
"\\[Z", "\\[B", "\\[S", "\\[I", "\\[J", "\\[F", "\\[D", "\\[C",
- "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*" };
+ "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*",
+ "org.codehaus.groovy.runtime.GStringImpl", "groovy.lang.GString"};
/** The regular expression used to match serialized types. */
private final Pattern whitelistPattern;
@@ -52,7 +53,7 @@ public final class SafeObjectInputStream extends ObjectInputStream {
*/
public SafeObjectInputStream(InputStream in) throws IOException {
super(in);
- String safeObjectsProp = getPropertyValue("SafeObjectInputStream", "ListOfSafeObjectsForInputStream");
+ String safeObjectsProp = getPropertyValue("SafeObjectInputStream", "ListOfSafeObjectsForInputStream", "");
String[] whitelist = safeObjectsProp.isEmpty() ? DEFAULT_WHITELIST_PATTERN : safeObjectsProp.split(",");
whitelistPattern = Arrays.stream(whitelist)
.map(String::trim)