[ofbiz-framework] branch release17.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release17.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new 356be25  Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)
356be25 is described below

commit 356be25ad21ff45494af17495e485a292f4093e3
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Feb 24 12:55:28 2020 +0100

    Fixed: Improve ObjectInputStream class (CVE-2019-0189)
    Improved: no functional change
    (OFBIZ-10837) (OFBIZ-11398)
   
    I missed to update the refactored UtilObject class
---
 .../org/apache/ofbiz/base/util/UtilObject.java     | 31 +++++++---------------
 1 file changed, 9 insertions(+), 22 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
index d73aa55..eb7666a 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
@@ -24,11 +24,8 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectOutputStream;
 import java.lang.reflect.Array;
-import java.util.Arrays;
 import java.util.Iterator;
-import java.util.List;
 import java.util.ServiceLoader;
-import java.util.stream.Collectors;
 
 import org.apache.ofbiz.base.lang.Factory;
 import org.apache.ofbiz.base.lang.SourceMonitored;
@@ -102,27 +99,17 @@ public final class UtilObject {
         return obj;
     }
 
-    /** Deserialize a byte array back to an object */
+    /**
+     * Deserializes a byte array back to an object.
+     *
+     * @param bytes  the array of bytes
+     * @return the deserialized object.
+     * @throws ClassNotFoundException when the class can not be deserialized.
+     * @throws IOException when a general Input/Output error happen.
+     */
     public static Object getObjectException(byte[] bytes) throws ClassNotFoundException, IOException {
-        String listOfSafeObjectsForInputStream = UtilProperties.getPropertyValue("SafeObjectInputStream",
-                "ListOfSafeObjectsForInputStream");
-        List<String> listOfSafeObjects = null;
-        if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
-            listOfSafeObjects = Arrays.stream(listOfSafeObjectsForInputStream.split(","))
-                    .map(String::trim)
-                    .filter(s -> !s.isEmpty())
-                    .collect(Collectors.toList());
-        } else {
-            listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo", "SerializationInjector",
-                    "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",
-                    "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*");
-        } // "foo" and, "SerializationInjector" are used in UtilObjectTests::testGetObject
-        
         try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
-                SafeObjectInputStream wois = new SafeObjectInputStream(bis,
-                        Thread.currentThread().getContextClassLoader(),
-                        listOfSafeObjects)) {;
-                        
+                SafeObjectInputStream wois = new SafeObjectInputStream(bis)) {
             return wois.readObject();
         }
     }