[jira] [Commented] (OFBIZ-11398) Issue with creating SEO CATEGORIES/PRODUCTS from catalog manager

    [ https://issues.apache.org/jira/browse/OFBIZ-11398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17043409#comment-17043409 ]

ASF subversion and git services commented on OFBIZ-11398:
---------------------------------------------------------

Commit e78cc49d713f40822608491230de8432aafdd875 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=e78cc49 ]

Fixed: Improve ObjectInputStream class (CVE-2019-0189)
Improved: no functional change
(OFBIZ-10837) (OFBIZ-11398)

Steps to generate:
1. Navigate to - catalog/control/EditProdCatalog?prodCatalogId=TestCatalog
2. Click on - CREATE SEO CATEGORY/PRODUCTS
3. The broken page will be displayed

The issue is due to the use of a GString in
createMissingCategoryAndProductAltUrls().

This:
    result.successMessageList = [
        "Categories updated: ${categoriesUpdated}",
        "Products updated: ${productsUpdated}"

As it's common to use such expressions I have added the necessary
org.codehaus.groovy.runtime.GStringImpl groovy.lang.GString
to the white list of classes in listOfSafeObjectsForInputStream in
SafeObjectInputStream.properties

I finally have also decided to use this property as default and commented for
committers to be aware that it should be also put in DEFAULT_WHITELIST_PATTERN
in SafeObjectInputStream class. Because if, for a reason,
listOfSafeObjectsForInputStream is empty OFBiz will still be protected

Thanks: Dikpal Kanungo for reporting

# Conflicts:
# SafeObjectInputStream.java
Handled by hand




--
This message was sent by Atlassian Jira
(v8.3.4#803005)