OFBiz › OFBiz - Commits

[ofbiz-framework] branch release18.12 updated: Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

[ofbiz-framework] branch release18.12 updated: Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

The following commit(s) were added to refs/heads/release18.12 by this push:
new ee51eb7 Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)
ee51eb7 is described below

commit ee51eb7360108f50d4b3d4280317dc810b5ec2c1
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Fri Feb 5 11:02:28 2021 +0100

Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)

Adds an example based on RMI which is known to be a problem
---
.../org/apache/ofbiz/base/util/SafeObjectInputStream.java | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index d50cfbf..a24e027 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -63,9 +63,18 @@ public final class SafeObjectInputStream extends ObjectInputStream {

@Override
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
- if (!whitelistPattern.matcher(classDesc.getName()).find()) {
+ String className = classDesc.getName();
+ // BlackList exploits; eg: don't allow RMI here
+ if (className.contains("java.rmi.server")) {
+ Debug.logWarning("***Incompatible class***: "
+ + classDesc.getName()
+ + ". java.rmi.server classes are not allowed for security reason",
+ "SafeObjectInputStream");
+ return null;
+ }
+ if (!whitelistPattern.matcher(className).find()) {
// DiskFileItem, FileItemHeadersImpl are not serializable.
- if (classDesc.getName().contains("org.apache.commons.fileupload")) {
+ if (className.contains("org.apache.commons.fileupload")) {
return null;
}
Debug.logWarning("***Incompatible class***: "