OFBiz › OFBiz - Commits

svn commit: r1869003 - /ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

mthl

svn commit: r1869003 - /ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Author: mthl
Date: Sat Oct 26 14:54:20 2019
New Revision: 1869003

URL: http://svn.apache.org/viewvc?rev=1869003&view=rev
Log:
Fixed: Handle whitelist of serializable classes from properties
(OFBIZ-11261)

There was a bug regarding the way the ‘ListOfSafeObjectsForInputStream’ value
defined in the “SafeObjectInputStream.properties” file was handled. Mistakenly
only one class identifier was allowed.

The tests have not been backported from ‘trunk’ because of the way
‘UtilProperties#setPropertyValueInMemory’ work in 18.12.

Modified:
ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Modified: ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java?rev=1869003&r1=1869002&r2=1869003&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java (original)
+++ ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Sat Oct 26 14:54:20 2019
@@ -24,9 +24,11 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Array;
+import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.ServiceLoader;
+import java.util.stream.Collectors;

import org.apache.ofbiz.base.lang.Factory;
import org.apache.ofbiz.base.lang.SourceMonitored;
@@ -106,7 +108,10 @@ public final class UtilObject {
"ListOfSafeObjectsForInputStream");
List<String> listOfSafeObjects = null;
if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
- listOfSafeObjects = java.util.Arrays.asList(listOfSafeObjectsForInputStream);
+ listOfSafeObjects = Arrays.stream(listOfSafeObjectsForInputStream.split(","))
+ .map(String::trim)
+ .filter(s -> !s.isEmpty())
+ .collect(Collectors.toList());
} else {
listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo", "SerializationInjector",
"\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",