This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release17.12 by this push:
new 356be25 Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)
356be25 is described below
commit 356be25ad21ff45494af17495e485a292f4093e3
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Mon Feb 24 12:55:28 2020 +0100
Fixed: Improve ObjectInputStream class (CVE-2019-0189)
Improved: no functional change
(OFBIZ-10837) (OFBIZ-11398)
I missed to update the refactored UtilObject class
---
.../org/apache/ofbiz/base/util/UtilObject.java | 31 +++++++---------------
1 file changed, 9 insertions(+), 22 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
index d73aa55..eb7666a 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
@@ -24,11 +24,8 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Array;
-import java.util.Arrays;
import java.util.Iterator;
-import java.util.List;
import java.util.ServiceLoader;
-import java.util.stream.Collectors;
import org.apache.ofbiz.base.lang.Factory;
import org.apache.ofbiz.base.lang.SourceMonitored;
@@ -102,27 +99,17 @@ public final class UtilObject {
return obj;
}
- /** Deserialize a byte array back to an object */
+ /**
+ * Deserializes a byte array back to an object.
+ *
+ * @param bytes the array of bytes
+ * @return the deserialized object.
+ * @throws ClassNotFoundException when the class can not be deserialized.
+ * @throws IOException when a general Input/Output error happen.
+ */
public static Object getObjectException(byte[] bytes) throws ClassNotFoundException, IOException {
- String listOfSafeObjectsForInputStream = UtilProperties.getPropertyValue("SafeObjectInputStream",
- "ListOfSafeObjectsForInputStream");
- List<String> listOfSafeObjects = null;
- if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
- listOfSafeObjects = Arrays.stream(listOfSafeObjectsForInputStream.split(","))
- .map(String::trim)
- .filter(s -> !s.isEmpty())
- .collect(Collectors.toList());
- } else {
- listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo", "SerializationInjector",
- "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",
- "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*");
- } // "foo" and, "SerializationInjector" are used in UtilObjectTests::testGetObject
-
try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
- SafeObjectInputStream wois = new SafeObjectInputStream(bis,
- Thread.currentThread().getContextClassLoader(),
- listOfSafeObjects)) {;
-
+ SafeObjectInputStream wois = new SafeObjectInputStream(bis)) {
return wois.readObject();
}
}
Locked
