You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by mt...@apache.org on 2019/10/26 14:54:21 UTC

svn commit: r1869003 - /ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Author: mthl
Date: Sat Oct 26 14:54:20 2019
New Revision: 1869003

URL: http://svn.apache.org/viewvc?rev=1869003&view=rev
Log:
Fixed: Handle whitelist of serializable classes from properties
(OFBIZ-11261)

There was a bug regarding the way the ‘ListOfSafeObjectsForInputStream’ value
defined in the “SafeObjectInputStream.properties” file was handled.  Mistakenly
only one class identifier was allowed.

The tests have not been backported from ‘trunk’ because of the way
‘UtilProperties#setPropertyValueInMemory’ work in 18.12.

Modified:
    ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Modified: ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java?rev=1869003&r1=1869002&r2=1869003&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java (original)
+++ ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Sat Oct 26 14:54:20 2019
@@ -24,9 +24,11 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectOutputStream;
 import java.lang.reflect.Array;
+import java.util.Arrays;
 import java.util.Iterator;
 import java.util.List;
 import java.util.ServiceLoader;
+import java.util.stream.Collectors;
 
 import org.apache.ofbiz.base.lang.Factory;
 import org.apache.ofbiz.base.lang.SourceMonitored;
@@ -106,7 +108,10 @@ public final class UtilObject {
                 "ListOfSafeObjectsForInputStream");
         List<String> listOfSafeObjects = null;
         if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
-            listOfSafeObjects = java.util.Arrays.asList(listOfSafeObjectsForInputStream);
+            listOfSafeObjects = Arrays.stream(listOfSafeObjectsForInputStream.split(","))
+                    .map(String::trim)
+                    .filter(s -> !s.isEmpty())
+                    .collect(Collectors.toList());
         } else {
             listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo", "SerializationInjector",
                     "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",