This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 1bc8a20 Improved: Improve UtilObject class (OFBIZ-12216) 1bc8a20 is described below commit 1bc8a206346f251c9076c2fb9babc896ba6bdf0d Author: Jacques Le Roux <[hidden email]> AuthorDate: Tue Mar 30 09:25:33 2021 +0200 Improved: Improve UtilObject class (OFBIZ-12216) Removes "DiskFileItem, FileItemHeadersImpl are not serializable" case. It does not appear in trunk. Handling with exception Rather than returning null cleans UtilObject class. Restrict unauthorized deserialisations to java.rmi instead of java.rmi.server --- .../apache/ofbiz/base/util/SafeObjectInputStream.java | 16 ++++------------ .../main/java/org/apache/ofbiz/base/util/UtilObject.java | 8 ++------ 2 files changed, 6 insertions(+), 18 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java index e846081..8bab7be 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java @@ -24,6 +24,7 @@ import static org.apache.ofbiz.base.util.UtilProperties.getPropertyValue; import java.io.IOException; import java.io.InputStream; +import java.io.InvalidClassException; import java.io.ObjectInputStream; import java.io.ObjectStreamClass; import java.util.Arrays; @@ -64,20 +65,11 @@ public final class SafeObjectInputStream extends ObjectInputStream { protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { String className = classDesc.getName(); // DenyList exploits; eg: don't allow RMI here - if (className.contains("java.rmi.server")) { - Debug.logWarning("***Incompatible class***: " - + classDesc.getName() - + ". java.rmi.server classes are not allowed for security reason", - "SafeObjectInputStream"); - return null; + if (className.contains("java.rmi")) { + throw new InvalidClassException(className, "Unauthorized deserialisation attempt"); } if (!allowlistPattern.matcher(className).find()) { - // DiskFileItem, FileItemHeadersImpl are not serializable. - if (className.contains("org.apache.commons.fileupload")) { - return null; - } - Debug.logWarning("***Incompatible class***: " - + classDesc.getName() + Debug.logWarning("***Incompatible class***: " + className + ". Please see OFBIZ-10837. Report to dev ML if you use OFBiz without changes. " + "Else follow https://s.apache.org/45war", "SafeObjectInputStream"); diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java index 2dd1dcb..ad1de2f 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java @@ -77,11 +77,7 @@ public final class UtilObject { Object obj = null; try { obj = getObjectException(bytes); - // DiskFileItem, FileItemHeadersImpl are not serializable. So SafeObjectInputStream::resolveClass return null - if (obj == null) { - return null; - } - } catch (ClassNotFoundException | IOException e) { + } catch (IOException | ClassCastException | ClassNotFoundException e) { Debug.logError(e, MODULE); } return obj; @@ -94,7 +90,7 @@ public final class UtilObject { * @throws ClassNotFoundException when the class can not be deserialized. * @throws IOException when a general Input/Output error happen. */ - public static Object getObjectException(byte[] bytes) throws ClassNotFoundException, IOException { + public static Object getObjectException(byte[] bytes) throws ClassCastException, ClassNotFoundException, IOException { try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes); SafeObjectInputStream wois = new SafeObjectInputStream(bis)) { return wois.readObject(); |
Free forum by Nabble | Edit this page |