svn commit: r1866834 - in /ofbiz/ofbiz-framework/trunk/framework/base: config/SafeObjectInputStream.properties src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Author: jleroux
Date: Thu Sep 12 07:49:41 2019
New Revision: 1866834

URL: http://svn.apache.org/viewvc?rev=1866834&view=rev
Log:
Improved: Improve ObjectInputStream class
(OFBIZ-10837)

Allows users to easily override the list of accepted objects by using the
listOfSafeObjectsForInputStream property

CVE-2019-0189

Added:
    ofbiz/ofbiz-framework/trunk/framework/base/config/SafeObjectInputStream.properties   (with props)
Modified:
    ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
    ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Added: ofbiz/ofbiz-framework/trunk/framework/base/config/SafeObjectInputStream.properties
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/config/SafeObjectInputStream.properties?rev=1866834&view=auto
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/config/SafeObjectInputStream.properties (added)
+++ ofbiz/ofbiz-framework/trunk/framework/base/config/SafeObjectInputStream.properties Thu Sep 12 07:49:41 2019
@@ -0,0 +1,27 @@
+###############################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+###############################################################################
+
+# Because of OFBIZ-10837 - Improve ObjectInputStream class.
+# If you encounter a related issue (object not in the whitelist),
+# you must provide a complete list of objects to pass to ObjectInputStream
+# through ListOfSafeObjectsForInputStream property
+# As an example, the a complete list of objects  used by OFBiz OOTB is commented out by default here.
+# You will need to add your objects/classes to this list.
+
+#listOfSafeObjectsForInputStream=byte\\\\[\\\\], foo, SerializationInjector, \\\\[Z,\\\\[B,\\\\[S,\\\\[I,\\\\[J,\\\\[F,\\\\[D,\\\\[C, java..*, sun.util.calendar..*, org.apache.ofbiz..*

Propchange: ofbiz/ofbiz-framework/trunk/framework/base/config/SafeObjectInputStream.properties
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: ofbiz/ofbiz-framework/trunk/framework/base/config/SafeObjectInputStream.properties
------------------------------------------------------------------------------
    svn:keywords = Date Rev Author URL Id

Propchange: ofbiz/ofbiz-framework/trunk/framework/base/config/SafeObjectInputStream.properties
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java?rev=1866834&r1=1866833&r2=1866834&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java Thu Sep 12 07:49:41 2019
@@ -62,7 +62,8 @@ public class SafeObjectInputStream exten
         if (!WHITELIST_PATTERN.matcher(classDesc.getName()).find()) {
             Debug.logWarning("***Incompatible class***: " + classDesc.getName() +
                     ". Please see OFBIZ-10837.  Report to dev ML if you use OFBiz without changes. "
-                    + "Else add your class into UtilObject::getObjectException", "SafeObjectInputStream");
+                    + "Else follow https://s.apache.org/45war"
+                    , "SafeObjectInputStream");
             throw new ClassCastException("Incompatible class: " + classDesc.getName());
         }
         

Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java?rev=1866834&r1=1866833&r2=1866834&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Thu Sep 12 07:49:41 2019
@@ -24,6 +24,7 @@ import java.io.IOException;
 import java.io.ObjectOutputStream;
 import java.lang.reflect.Array;
 import java.util.Iterator;
+import java.util.List;
 import java.util.ServiceLoader;
 
 import org.apache.ofbiz.base.lang.Factory;
@@ -85,13 +86,22 @@ public final class UtilObject {
 
     /** Deserialize a byte array back to an object */
     public static Object getObjectException(byte[] bytes) throws ClassNotFoundException, IOException {
+        String listOfSafeObjectsForInputStream = UtilProperties.getPropertyValue("SafeObjectInputStream",
+                "ListOfSafeObjectsForInputStream");
+        List<String> listOfSafeObjects = null;
+        if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
+            listOfSafeObjects = java.util.Arrays.asList(listOfSafeObjectsForInputStream);
+        } else {
+            listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo", "SerializationInjector",
+                    "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",
+                    "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*");
+        } // "foo" and, "SerializationInjector" are used in UtilObjectTests::testGetObject
+        
         try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
                 SafeObjectInputStream wois = new SafeObjectInputStream(bis,
                         Thread.currentThread().getContextClassLoader(),
-                        java.util.Arrays.asList("byte\\[\\]", "foo", "SerializationInjector",
-                                "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",
-                                "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*"));) {
-                        // "foo" and, "SerializationInjector" are used in UtilObjectTests::testGetObject
+                        listOfSafeObjects)) {;
+                        
             return wois.readObject();
         }
     }