This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release17.12 by this push:
new 27adfed Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
27adfed is described below
commit 27adfed9f0293f08563aca09e125b78966a84635
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Mon Apr 5 17:03:12 2021 +0200
Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
Prevents generics markup in string type names.
Conflict handled by hand
framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
---
.../main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index 5dc785a..5c1b8b6 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -65,8 +65,9 @@ public final class SafeObjectInputStream extends ObjectInputStream {
@Override
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
String className = classDesc.getName();
- // BlackList exploits; eg: don't allow RMI here
- if (className.contains("java.rmi")) {
+ // DenyList
+ if (className.contains("java.rmi") // Don't allow RMI
+ || className.contains("<")) { // Prevent generics markup in string type names
throw new InvalidClassException(className, "Unauthorized deserialisation attempt");
}
if (!whitelistPattern.matcher(className).find()) {
Locked
