svn commit: r1713849 - in /commons/proper/collections/branches/COLLECTIONS_3_2_X/src: java/org/apache/commons/collections/functors/ test/org/apache/commons/collections/functors/

tn Wed, 11 Nov 2015 06:22:18 -0800

Author: tn
Date: Wed Nov 11 14:21:37 2015
New Revision: 1713849

URL: http://svn.apache.org/viewvc?rev=1713849&view=rev
Log:
[COLLECTIONS-580] Add fix for PrototypeFactory as well.


Added:
    
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java
   (with props)
Modified:
    
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
    
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/package.html
    
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestAll.java

Modified: 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
URL: 
http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/PrototypeFactory.java?rev=1713849&r1=1713848&r2=1713849&view=diff
==============================================================================
--- 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
 (original)
+++ 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
 Wed Nov 11 14:21:37 2015
@@ -49,6 +49,16 @@ public class PrototypeFactory {
      * <li>public copy constructor
      * <li>serialization clone
      * <ul>
+     * <p>
+     * <b>WARNING:</b> from v3.2.2 onwards this method will return a {@code 
Factory}
+     * that will throw an {@link UnsupportedOperationException} when trying to 
serialize
+     * or de-serialize it to prevent potential remote code execution exploits.
+     * <p>
+     * In order to re-enable serialization support the following system 
property
+     * can be used (via -Dproperty=true):
+     * <pre>
+     * org.apache.commons.collections.enableUnsafeSerialization
+     * </pre>
      *
      * @param prototype  the object to clone each time in the factory
      * @return the <code>prototype</code> factory
@@ -144,6 +154,24 @@ public class PrototypeFactory {
                 throw new FunctorException("PrototypeCloneFactory: Clone 
method threw an exception", ex);
             }
         }
+        
+        /**
+         * Overrides the default writeObject implementation to prevent
+         * serialization (see COLLECTIONS-580).
+         */
+        private void writeObject(ObjectOutputStream os) throws IOException {
+            FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
+            os.defaultWriteObject();
+        }
+
+        /**
+         * Overrides the default readObject implementation to prevent
+         * de-serialization (see COLLECTIONS-580).
+         */
+        private void readObject(ObjectInputStream is) throws 
ClassNotFoundException, IOException {
+            FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
+            is.defaultReadObject();
+        }
     }
 
     // PrototypeSerializationFactory
@@ -204,6 +232,24 @@ public class PrototypeFactory {
                 }
             }
         }
+        
+        /**
+         * Overrides the default writeObject implementation to prevent
+         * serialization (see COLLECTIONS-580).
+         */
+        private void writeObject(ObjectOutputStream os) throws IOException {
+            
FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
+            os.defaultWriteObject();
+        }
+
+        /**
+         * Overrides the default readObject implementation to prevent
+         * de-serialization (see COLLECTIONS-580).
+         */
+        private void readObject(ObjectInputStream is) throws 
ClassNotFoundException, IOException {
+            
FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
+            is.defaultReadObject();
+        }
     }
 
 }

Modified: 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/package.html
URL: 
http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/package.html?rev=1713849&r1=1713848&r2=1713849&view=diff
==============================================================================
--- 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/package.html
 (original)
+++ 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/package.html
 Wed Nov 11 14:21:37 2015
@@ -38,6 +38,8 @@ Classes considered to be unsafe are:
   <li>InstantiateFactory</li>
   <li>InstantiateTransformer</li>
   <li>InvokerTransformer</li>
+  <li>PrototypeFactory$PrototypeCloneFactory</li>
+  <li>PrototypeFactory$PrototypeSerializationFactory</li>
   <li>WhileClosure</li>
 </ul>
 <p>

Modified: 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestAll.java
URL: 
http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestAll.java?rev=1713849&r1=1713848&r2=1713849&view=diff
==============================================================================
--- 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestAll.java
 (original)
+++ 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestAll.java
 Wed Nov 11 14:21:37 2015
@@ -36,6 +36,7 @@ public class TestAll extends TestCase {
         suite.addTest(TestInstantiateTransformer.suite());
         suite.addTest(TestInstantiateFactory.suite());
         suite.addTest(TestInvokerTransformer.suite());
+        suite.addTest(TestPrototypeFactory.suite());
         suite.addTest(TestWhileClosure.suite());
         return suite;
     }

Added: 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java
URL: 
http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java?rev=1713849&view=auto
==============================================================================
--- 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java
 (added)
+++ 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java
 Wed Nov 11 14:21:37 2015
@@ -0,0 +1,49 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.commons.collections.functors;
+
+import java.util.ArrayList;
+
+import org.apache.commons.collections.Factory;
+
+import junit.framework.Test;
+import junit.framework.TestSuite;
+
+public class TestPrototypeFactory extends AbstractTestSerialization {
+
+    // conventional
+    // ------------------------------------------------------------------------
+
+    public TestPrototypeFactory(String testName) {
+        super(testName);
+    }
+
+    public static Test suite() {
+        return new TestSuite(TestPrototypeFactory.class);
+    }
+
+    // ------------------------------------------------------------------------
+
+    public Object makeObject() {
+        return PrototypeFactory.getInstance(new ArrayList());
+    }
+
+    public Class getTestClass() {
+        return Factory.class;
+    }
+
+}

Propchange: 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java
------------------------------------------------------------------------------
    svn:keywords = Id Revision HeadURL

Propchange: 
commons/proper/collections/branches/COLLECTIONS_3_2_X/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

svn commit: r1713849 - in /commons/proper/collections/branches/COLLECTIONS_3_2_X/src: java/org/apache/commons/collections/functors/ test/org/apache/commons/collections/functors/

Reply via email to