You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ch...@apache.org on 2017/07/11 17:55:51 UTC

[21/50] commons-collections git commit: [COLLECTIONS-580] Add javadoc, improve error message and apply review comments.

[COLLECTIONS-580] Add javadoc, improve error message and apply review comments.

git-svn-id: https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X@1713537 13f79535-47bb-0310-9956-ffa450edef68


Project: http://git-wip-us.apache.org/repos/asf/commons-collections/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-collections/commit/5ec476b0
Tree: http://git-wip-us.apache.org/repos/asf/commons-collections/tree/5ec476b0
Diff: http://git-wip-us.apache.org/repos/asf/commons-collections/diff/5ec476b0

Branch: refs/heads/COLLECTIONS_3_2_X
Commit: 5ec476b0b756852db865b2e442180f091f8209ee
Parents: fd61086
Author: Thomas Neidhart <tn...@apache.org>
Authored: Mon Nov 9 21:09:05 2015 +0000
Committer: Thomas Neidhart <tn...@apache.org>
Committed: Mon Nov 9 21:09:05 2015 +0000

----------------------------------------------------------------------
 .../functors/InvokerTransformer.java            | 18 ++++++++++++++++--
 .../functors/TestInvokerTransformer.java        | 20 +++++++++++---------
 2 files changed, 27 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/commons-collections/blob/5ec476b0/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/commons/collections/functors/InvokerTransformer.java b/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
index 2dcf09c..580a229 100644
--- a/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
+++ b/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
@@ -18,6 +18,7 @@ package org.apache.commons.collections.functors;
 
 import java.io.IOException;
 import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
 import java.io.Serializable;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
@@ -29,6 +30,17 @@ import org.apache.commons.collections.Transformer;
 
 /**
  * Transformer implementation that creates a new object instance by reflection.
+ * <p>
+ * <b>WARNING:</b> from v3.2.2 onwards this class will throw an
+ * {@link UnsupportedOperationException} when trying to de-serialize an
+ * instance from a {@link ObjectOutputStream} to prevent potential
+ * remote code execution exploits.
+ * <p>
+ * In order to re-enable de-serialization of {@code InvokerTransformer}
+ * instances, the following system property can be used (via -Dproperty=true):
+ * <pre>
+ * org.apache.commons.collections.invokertransformer.enableDeserialization
+ * </pre>
  * 
  * @since Commons Collections 3.0
  * @version $Revision$ $Date$
@@ -160,8 +172,10 @@ public class InvokerTransformer implements Transformer, Serializable {
             deserializeProperty = null;
         }
 
-        if (deserializeProperty == null || !deserializeProperty.equalsIgnoreCase("true")) {
-            throw new UnsupportedOperationException("Deserialization of InvokerTransformer is disabled, ");
+        if (!"true".equalsIgnoreCase(deserializeProperty)) {
+            throw new UnsupportedOperationException(
+                    "Deserialization of InvokerTransformer is disabled for security reasons. " +
+                    "To re-enable it set system property '" + DESERIALIZE + "' to 'true'");
         }
         
         is.defaultReadObject();

http://git-wip-us.apache.org/repos/asf/commons-collections/blob/5ec476b0/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java
----------------------------------------------------------------------
diff --git a/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java b/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java
index 9129471..4b48a59 100644
--- a/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java
+++ b/src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java
@@ -44,17 +44,19 @@ public class TestInvokerTransformer extends BulkTest {
         Assert.assertNull(System.getProperty(InvokerTransformer.DESERIALIZE));
         System.setProperty(InvokerTransformer.DESERIALIZE, "true");
 
-        InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
-        byte[] data = serialize(transformer);
-        Assert.assertNotNull(data);
         try {
-            Object obj = deserialize(data);
-            Assert.assertTrue(obj instanceof InvokerTransformer);
-        } catch (UnsupportedOperationException ex) {
-            fail("de-serialization of InvokerTransformer should be enabled");
+            InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+            byte[] data = serialize(transformer);
+            Assert.assertNotNull(data);
+            try {
+                Object obj = deserialize(data);
+                Assert.assertTrue(obj instanceof InvokerTransformer);
+            } catch (UnsupportedOperationException ex) {
+                fail("de-serialization of InvokerTransformer should be enabled");
+            }
+        } finally {
+            System.clearProperty(InvokerTransformer.DESERIALIZE);
         }
-        
-        System.clearProperty(InvokerTransformer.DESERIALIZE);
     }
     
     private byte[] serialize(InvokerTransformer transformer) throws IOException {