svn commit: r1869033 - in /ofbiz/branches/release16.11: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1869033 - in /ofbiz/branches/release16.11: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

jleroux@apache.org
Author: jleroux
Date: Sun Oct 27 09:37:19 2019
New Revision: 1869033

URL: http://svn.apache.org/viewvc?rev=1869033&view=rev
Log:
"Applied fix from trunk framework for revision: 1869001"
------------------------------------------------------------------------
r1869001 | mthl | 2019-10-26 16:42:02 +0200 (sam. 26 oct. 2019) | 9 lignes

Fixed: Handle whitelist of serializable classes from properties
(OFBIZ-11261)

There was a bug regarding the way the ‘ListOfSafeObjectsForInputStream’ value
defined in the “SafeObjectInputStream.properties” file was handled.  Mistakenly
only one class identifier was allowed.

Some unit tests have been added to check that the identified bug is fixed.

------------------------------------------------------------------------


Modified:
    ofbiz/branches/release16.11/   (props changed)
    ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Propchange: ofbiz/branches/release16.11/
------------------------------------------------------------------------------
  Merged /ofbiz/ofbiz-framework/trunk:r1869001

Modified: ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java?rev=1869033&r1=1869032&r2=1869033&view=diff
==============================================================================
--- ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java (original)
+++ ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Sun Oct 27 09:37:19 2019
@@ -24,10 +24,11 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.ObjectOutputStream;
 import java.io.InputStream;
+import java.util.Arrays;
 import java.util.Iterator;
 import java.util.List;
 import java.util.ServiceLoader;
-import java.lang.Class;
+import java.util.stream.Collectors;
 
 import org.apache.ofbiz.base.lang.Factory;
 import org.apache.ofbiz.base.lang.SourceMonitored;
@@ -109,7 +110,10 @@ public final class UtilObject {
                 "ListOfSafeObjectsForInputStream");
         List<String> listOfSafeObjects = null;
         if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
-            listOfSafeObjects = java.util.Arrays.asList(listOfSafeObjectsForInputStream);
+            listOfSafeObjects = Arrays.stream(listOfSafeObjectsForInputStream.split(","))
+                    .map(String::trim)
+                    .filter(s -> !s.isEmpty())
+                    .collect(Collectors.toList());
         } else {
             listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo", "SerializationInjector",
                     "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",