This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/trunk by this push:
new fcc0078 Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
fcc0078 is described below
commit fcc0078b6041fad4b9d34a7c2dd6e6a263da383a
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Mon Apr 5 17:03:12 2021 +0200
Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
Prevents generics markup in string type names.
---
.../main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index 8bab7be..f9d93b2 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -64,8 +64,9 @@ public final class SafeObjectInputStream extends ObjectInputStream {
@Override
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
String className = classDesc.getName();
- // DenyList exploits; eg: don't allow RMI here
- if (className.contains("java.rmi")) {
+ // DenyList
+ if (className.contains("java.rmi") // Don't allow RMI
+ || className.contains("<")) { // Prevent generics markup in string type names
throw new InvalidClassException(className, "Unauthorized deserialisation attempt");
}
if (!allowlistPattern.matcher(className).find()) {
Locked
