Author: jleroux
Date: Sun Oct 27 09:37:19 2019
New Revision: 1869033
URL:
http://svn.apache.org/viewvc?rev=1869033&view=revLog:
"Applied fix from trunk framework for revision: 1869001"
------------------------------------------------------------------------
r1869001 | mthl | 2019-10-26 16:42:02 +0200 (sam. 26 oct. 2019) | 9 lignes
Fixed: Handle whitelist of serializable classes from properties
(OFBIZ-11261)
There was a bug regarding the way the ‘ListOfSafeObjectsForInputStream’ value
defined in the “SafeObjectInputStream.properties” file was handled. Mistakenly
only one class identifier was allowed.
Some unit tests have been added to check that the identified bug is fixed.
------------------------------------------------------------------------
Modified:
ofbiz/branches/release16.11/ (props changed)
ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
Propchange: ofbiz/branches/release16.11/
------------------------------------------------------------------------------
Merged /ofbiz/ofbiz-framework/trunk:r1869001
Modified: ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java?rev=1869033&r1=1869032&r2=1869033&view=diff==============================================================================
--- ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java (original)
+++ ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Sun Oct 27 09:37:19 2019
@@ -24,10 +24,11 @@ import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.io.InputStream;
+import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.ServiceLoader;
-import java.lang.Class;
+import java.util.stream.Collectors;
import org.apache.ofbiz.base.lang.Factory;
import org.apache.ofbiz.base.lang.SourceMonitored;
@@ -109,7 +110,10 @@ public final class UtilObject {
"ListOfSafeObjectsForInputStream");
List<String> listOfSafeObjects = null;
if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
- listOfSafeObjects = java.util.Arrays.asList(listOfSafeObjectsForInputStream);
+ listOfSafeObjects = Arrays.stream(listOfSafeObjectsForInputStream.split(","))
+ .map(String::trim)
+ .filter(s -> !s.isEmpty())
+ .collect(Collectors.toList());
} else {
listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo", "SerializationInjector",
"\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",