[ofbiz-framework] branch trunk updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 0e7d319  Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)
0e7d319 is described below

commit 0e7d31912b26a06d213fd5fb8739eacf02acfa79
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Feb 24 11:00:34 2020 +0100

    Fixed: Improve ObjectInputStream class (CVE-2019-0189)
    Improved: no functional change
    (OFBIZ-10837) (OFBIZ-11398)
   
    Steps to generate:
    1. Navigate to - catalog/control/EditProdCatalog?prodCatalogId=TestCatalog
    2. Click on - CREATE SEO CATEGORY/PRODUCTS
    3. The broken page will be displayed
   
    The issue is due to the use of a GString in
    createMissingCategoryAndProductAltUrls().
   
    This:
        result.successMessageList = [
            "Categories updated: ${categoriesUpdated}",
            "Products updated: ${productsUpdated}"
   
    As it's common to use such expressions I have added the necessary
    org.codehaus.groovy.runtime.GStringImpl groovy.lang.GString
    to the white list of classes in listOfSafeObjectsForInputStream in
    SafeObjectInputStream.properties
   
    I finally have also decided to use this property as default and commented for
    committers to be aware that it should be also put in DEFAULT_WHITELIST_PATTERN
    in SafeObjectInputStream class. Because if, for a reason,
    listOfSafeObjectsForInputStream is empty OFBiz will still be protected
   
    Thanks: Dikpal Kanungo for reporting
---
 framework/base/config/SafeObjectInputStream.properties              | 6 ++++--
 .../main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java | 5 +++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/framework/base/config/SafeObjectInputStream.properties b/framework/base/config/SafeObjectInputStream.properties
index bdc5b4a..548eab7 100644
--- a/framework/base/config/SafeObjectInputStream.properties
+++ b/framework/base/config/SafeObjectInputStream.properties
@@ -21,7 +21,9 @@
 # If you encounter a related issue (object not in the whitelist),
 # you must provide a complete list of objects to pass to ObjectInputStream
 # through ListOfSafeObjectsForInputStream property
-# As an example, the a complete list of objects  used by OFBiz OOTB is commented out by default here.
+# As an example, the a complete list of objects  used by OFBiz OOTB is here.
 # You will need to add your objects/classes to this list.
+# OFBiz committers: don't forget to add newobjects in SafeObjectInputStream class too (as default there).
 
-#listOfSafeObjectsForInputStream=byte\\\\[\\\\], foo, SerializationInjector, \\\\[Z,\\\\[B,\\\\[S,\\\\[I,\\\\[J,\\\\[F,\\\\[D,\\\\[C, java..*, sun.util.calendar..*, org.apache.ofbiz..*
+
+listOfSafeObjectsForInputStream=byte\\\\[\\\\], foo, SerializationInjector, \\\\[Z,\\\\[B,\\\\[S,\\\\[I,\\\\[J,\\\\[F,\\\\[D,\\\\[C, java..*, sun.util.calendar..*, org.apache.ofbiz..*, org.codehaus.groovy.runtime.GStringImpl, groovy.lang.GString
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index b26093b..2aebcde 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -39,7 +39,8 @@ public final class SafeObjectInputStream extends ObjectInputStream {
     private static final String[] DEFAULT_WHITELIST_PATTERN = {
             "byte\\[\\]", "foo", "SerializationInjector",
             "\\[Z", "\\[B", "\\[S", "\\[I", "\\[J", "\\[F", "\\[D", "\\[C",
-            "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*" };
+            "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*",
+            "org.codehaus.groovy.runtime.GStringImpl", "groovy.lang.GString"};
 
     /** The regular expression used to match serialized types. */
     private final Pattern whitelistPattern;
@@ -52,7 +53,7 @@ public final class SafeObjectInputStream extends ObjectInputStream {
      */
     public SafeObjectInputStream(InputStream in) throws IOException {
         super(in);
-        String safeObjectsProp = getPropertyValue("SafeObjectInputStream", "ListOfSafeObjectsForInputStream");
+        String safeObjectsProp = getPropertyValue("SafeObjectInputStream", "ListOfSafeObjectsForInputStream", "");
         String[] whitelist = safeObjectsProp.isEmpty() ? DEFAULT_WHITELIST_PATTERN : safeObjectsProp.split(",");
         whitelistPattern = Arrays.stream(whitelist)
                 .map(String::trim)