You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/03/30 10:37:26 UTC
[ofbiz-framework] branch trunk updated: Improved: Improve
UtilObject class (OFBIZ-12216)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 1bc8a20 Improved: Improve UtilObject class (OFBIZ-12216)
1bc8a20 is described below
commit 1bc8a206346f251c9076c2fb9babc896ba6bdf0d
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Tue Mar 30 09:25:33 2021 +0200
Improved: Improve UtilObject class (OFBIZ-12216)
Removes "DiskFileItem, FileItemHeadersImpl are not serializable" case. It does
not appear in trunk.
Handling with exception Rather than returning null cleans UtilObject class.
Restrict unauthorized deserialisations to java.rmi instead of java.rmi.server
---
.../apache/ofbiz/base/util/SafeObjectInputStream.java | 16 ++++------------
.../main/java/org/apache/ofbiz/base/util/UtilObject.java | 8 ++------
2 files changed, 6 insertions(+), 18 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index e846081..8bab7be 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -24,6 +24,7 @@ import static org.apache.ofbiz.base.util.UtilProperties.getPropertyValue;
import java.io.IOException;
import java.io.InputStream;
+import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.Arrays;
@@ -64,20 +65,11 @@ public final class SafeObjectInputStream extends ObjectInputStream {
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
String className = classDesc.getName();
// DenyList exploits; eg: don't allow RMI here
- if (className.contains("java.rmi.server")) {
- Debug.logWarning("***Incompatible class***: "
- + classDesc.getName()
- + ". java.rmi.server classes are not allowed for security reason",
- "SafeObjectInputStream");
- return null;
+ if (className.contains("java.rmi")) {
+ throw new InvalidClassException(className, "Unauthorized deserialisation attempt");
}
if (!allowlistPattern.matcher(className).find()) {
- // DiskFileItem, FileItemHeadersImpl are not serializable.
- if (className.contains("org.apache.commons.fileupload")) {
- return null;
- }
- Debug.logWarning("***Incompatible class***: "
- + classDesc.getName()
+ Debug.logWarning("***Incompatible class***: " + className
+ ". Please see OFBIZ-10837. Report to dev ML if you use OFBiz without changes. "
+ "Else follow https://s.apache.org/45war",
"SafeObjectInputStream");
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
index 2dd1dcb..ad1de2f 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
@@ -77,11 +77,7 @@ public final class UtilObject {
Object obj = null;
try {
obj = getObjectException(bytes);
- // DiskFileItem, FileItemHeadersImpl are not serializable. So SafeObjectInputStream::resolveClass return null
- if (obj == null) {
- return null;
- }
- } catch (ClassNotFoundException | IOException e) {
+ } catch (IOException | ClassCastException | ClassNotFoundException e) {
Debug.logError(e, MODULE);
}
return obj;
@@ -94,7 +90,7 @@ public final class UtilObject {
* @throws ClassNotFoundException when the class can not be deserialized.
* @throws IOException when a general Input/Output error happen.
*/
- public static Object getObjectException(byte[] bytes) throws ClassNotFoundException, IOException {
+ public static Object getObjectException(byte[] bytes) throws ClassCastException, ClassNotFoundException, IOException {
try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
SafeObjectInputStream wois = new SafeObjectInputStream(bis)) {
return wois.readObject();