OFBiz › OFBiz - Commits

[ofbiz-framework] branch release17.12 updated: Improved: Improve UtilObject class (OFBIZ-12216)

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

[ofbiz-framework] branch release17.12 updated: Improved: Improve UtilObject class (OFBIZ-12216)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

The following commit(s) were added to refs/heads/release17.12 by this push:
new 1a5bca9 Improved: Improve UtilObject class (OFBIZ-12216)
1a5bca9 is described below

commit 1a5bca9190d2cce49ec5d9e820599df5da1f0ebf
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Tue Mar 30 09:25:33 2021 +0200

Improved: Improve UtilObject class (OFBIZ-12216)

This removes the inoffensive but annoying message in log (which does not show in
trunk, see https://github.com/apache/ofbiz-framework/commit/27c9180/

Not the same as in trunk, simply handling with exception Rather than returning
null, also shorten java.rmi.server to java.rmi to block more cases
---
.../org/apache/ofbiz/base/util/SafeObjectInputStream.java | 11 ++++-------
.../src/main/java/org/apache/ofbiz/base/util/UtilObject.java | 9 ++++-----
2 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index a24e027..5dc785a 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -24,6 +24,7 @@ import static org.apache.ofbiz.base.util.UtilProperties.getPropertyValue;

import java.io.IOException;
import java.io.InputStream;
+import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.Arrays;
@@ -65,17 +66,13 @@ public final class SafeObjectInputStream extends ObjectInputStream {
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
String className = classDesc.getName();
// BlackList exploits; eg: don't allow RMI here
- if (className.contains("java.rmi.server")) {
- Debug.logWarning("***Incompatible class***: "
- + classDesc.getName()
- + ". java.rmi.server classes are not allowed for security reason",
- "SafeObjectInputStream");
- return null;
+ if (className.contains("java.rmi")) {
+ throw new InvalidClassException(className, "Unauthorized deserialisation attempt");
}
if (!whitelistPattern.matcher(className).find()) {
// DiskFileItem, FileItemHeadersImpl are not serializable.
if (className.contains("org.apache.commons.fileupload")) {
- return null;
+ throw new ClassNotFoundException("DiskFileItem and FileItemHeadersImpl are not serializable.");
}
Debug.logWarning("***Incompatible class***: "
+ classDesc.getName()
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
index e194a2c..e1908a8 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
@@ -93,12 +93,11 @@ public final class UtilObject {
Object obj = null;
try {
obj = getObjectException(bytes);
- // DiskFileItem, FileItemHeadersImpl are not serializable. So SafeObjectInputStream::resolveClass return null
- if (obj == null) {
- return null;
- }
- } catch (ClassNotFoundException | IOException e) {
+ } catch (IOException e) {
Debug.logError(e, module);
+ } catch (ClassNotFoundException e1) {
+ // DiskFileItem, FileItemHeadersImpl are not serializable. So SafeObjectInputStream::resolveClass return ClassNotFoundException
+ return null;
}
return obj;
}