[ofbiz-framework] branch release18.12 updated: Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release18.12 updated: Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new ee51eb7  Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)
ee51eb7 is described below

commit ee51eb7360108f50d4b3d4280317dc810b5ec2c1
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Fri Feb 5 11:02:28 2021 +0100

    Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)
   
    Adds an example based on RMI which is known to be a problem
---
 .../org/apache/ofbiz/base/util/SafeObjectInputStream.java   | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index d50cfbf..a24e027 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -63,9 +63,18 @@ public final class SafeObjectInputStream extends ObjectInputStream {
 
     @Override
     protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
-        if (!whitelistPattern.matcher(classDesc.getName()).find()) {
+        String className = classDesc.getName();
+        // BlackList exploits; eg: don't allow RMI here
+        if (className.contains("java.rmi.server")) {
+            Debug.logWarning("***Incompatible class***: "
+                    + classDesc.getName()
+                    + ". java.rmi.server classes are not allowed for security reason",
+                    "SafeObjectInputStream");
+            return null;
+        }
+        if (!whitelistPattern.matcher(className).find()) {
             // DiskFileItem, FileItemHeadersImpl are not serializable.
-            if (classDesc.getName().contains("org.apache.commons.fileupload")) {
+            if (className.contains("org.apache.commons.fileupload")) {
                 return null;
             }
             Debug.logWarning("***Incompatible class***: "