Author: tn
Date: Fri Nov 13 20:08:45 2015
New Revision: 1714262
URL: http://svn.apache.org/viewvc?rev=1714262&view=rev
Log:
[COLLECTIONS-580] Removed serialization support for the identified unsafe
classes in the collections4 branch.
Modified:
commons/proper/collections/trunk/src/changes/changes.xml
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/CloneTransformer.java
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/ForClosure.java
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InstantiateTransformer.java
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InvokerTransformer.java
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/WhileClosure.java
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/package-info.java
Modified: commons/proper/collections/trunk/src/changes/changes.xml
URL:
http://svn.apache.org/viewvc/commons/proper/collections/trunk/src/changes/changes.xml?rev=1714262&r1=1714261&r2=1714262&view=diff
==============================================================================
--- commons/proper/collections/trunk/src/changes/changes.xml (original)
+++ commons/proper/collections/trunk/src/changes/changes.xml Fri Nov 13
20:08:45 2015
@@ -22,6 +22,13 @@
<body>
<release version="4.1" date="TBD" description="">
+ <action issue="COLLECTIONS-580" dev="tn" type="update">
+ Serialization support for unsafe classes in the functor package
+ has been removed as this can be exploited for remote code execution
+ attacks. Classes considered to be unsafe are: CloneTransformer,
+ ForClosure, InstantiateFactory, InstantiateTransformer,
InvokerTransformer,
+ PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.
+ </action>
<action issue="COLLECTIONS-576" dev="tn" type="fix" due-to="Stephan Roch">
Subclasses of MultiKey did not re-calculate their hashcode after
de-serialization.
</action>
Modified:
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/CloneTransformer.java
URL:
http://svn.apache.org/viewvc/commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/CloneTransformer.java?rev=1714262&r1=1714261&r2=1714262&view=diff
==============================================================================
---
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/CloneTransformer.java
(original)
+++
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/CloneTransformer.java
Fri Nov 13 20:08:45 2015
@@ -16,22 +16,22 @@
*/
package org.apache.commons.collections4.functors;
-import java.io.Serializable;
-
import org.apache.commons.collections4.Transformer;
/**
* Transformer implementation that returns a clone of the input object.
* <p>
* Clone is performed using
<code>PrototypeFactory.prototypeFactory(input).create()</code>.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be
serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer
to
+ * <a
href="https://issues.apache.org/jira/browse/COLLECTIONS-580";>COLLECTIONS-580</a>
+ * for more details.
*
* @since 3.0
* @version $Id$
*/
-public class CloneTransformer<T> implements Transformer<T, T>, Serializable {
-
- /** Serial version UID */
- private static final long serialVersionUID = -8188742709499652567L;
+public class CloneTransformer<T> implements Transformer<T, T> {
/** Singleton predicate instance */
@SuppressWarnings("rawtypes") // the singleton instance works for all types
@@ -46,7 +46,7 @@ public class CloneTransformer<T> impleme
*/
@SuppressWarnings("unchecked") // the singleton instance works for all
types
public static <T> Transformer<T, T> cloneTransformer() {
- return (Transformer<T, T>) INSTANCE;
+ return INSTANCE;
}
/**
@@ -62,6 +62,7 @@ public class CloneTransformer<T> impleme
* @param input the input object to transform
* @return the transformed result
*/
+ @Override
public T transform(final T input) {
if (input == null) {
return null;
@@ -69,8 +70,4 @@ public class CloneTransformer<T> impleme
return PrototypeFactory.prototypeFactory(input).create();
}
- private Object readResolve() {
- return INSTANCE;
- }
-
}
Modified:
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/ForClosure.java
URL:
http://svn.apache.org/viewvc/commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/ForClosure.java?rev=1714262&r1=1714261&r2=1714262&view=diff
==============================================================================
---
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/ForClosure.java
(original)
+++
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/ForClosure.java
Fri Nov 13 20:08:45 2015
@@ -16,20 +16,20 @@
*/
package org.apache.commons.collections4.functors;
-import java.io.Serializable;
-
import org.apache.commons.collections4.Closure;
/**
* Closure implementation that calls another closure n times, like a for loop.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be
serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer
to
+ * <a
href="https://issues.apache.org/jira/browse/COLLECTIONS-580";>COLLECTIONS-580</a>
+ * for more details.
*
* @since 3.0
* @version $Id$
*/
-public class ForClosure<E> implements Closure<E>, Serializable {
-
- /** Serial version UID */
- private static final long serialVersionUID = -1190120533393621674L;
+public class ForClosure<E> implements Closure<E> {
/** The number of times to loop */
private final int iCount;
@@ -76,6 +76,7 @@ public class ForClosure<E> implements Cl
*
* @param input the input object
*/
+ @Override
public void execute(final E input) {
for (int i = 0; i < iCount; i++) {
iClosure.execute(input);
Modified:
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java
URL:
http://svn.apache.org/viewvc/commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java?rev=1714262&r1=1714261&r2=1714262&view=diff
==============================================================================
---
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java
(original)
+++
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InstantiateFactory.java
Fri Nov 13 20:08:45 2015
@@ -16,7 +16,6 @@
*/
package org.apache.commons.collections4.functors;
-import java.io.Serializable;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
@@ -25,14 +24,16 @@ import org.apache.commons.collections4.F
/**
* Factory implementation that creates a new object instance by reflection.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be
serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer
to
+ * <a
href="https://issues.apache.org/jira/browse/COLLECTIONS-580";>COLLECTIONS-580</a>
+ * for more details.
*
* @since 3.0
* @version $Id$
*/
-public class InstantiateFactory<T> implements Factory<T>, Serializable {
-
- /** The serial version */
- private static final long serialVersionUID = -7732226881069447957L;
+public class InstantiateFactory<T> implements Factory<T> {
/** The class to create */
private final Class<T> iClassToInstantiate;
@@ -118,6 +119,7 @@ public class InstantiateFactory<T> imple
*
* @return the new object
*/
+ @Override
public T create() {
// needed for post-serialization
if (iConstructor == null) {
Modified:
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InstantiateTransformer.java
URL:
http://svn.apache.org/viewvc/commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InstantiateTransformer.java?rev=1714262&r1=1714261&r2=1714262&view=diff
==============================================================================
---
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InstantiateTransformer.java
(original)
+++
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InstantiateTransformer.java
Fri Nov 13 20:08:45 2015
@@ -16,7 +16,6 @@
*/
package org.apache.commons.collections4.functors;
-import java.io.Serializable;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
@@ -25,14 +24,16 @@ import org.apache.commons.collections4.T
/**
* Transformer implementation that creates a new object instance by reflection.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be
serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer
to
+ * <a
href="https://issues.apache.org/jira/browse/COLLECTIONS-580";>COLLECTIONS-580</a>
+ * for more details.
*
* @since 3.0
* @version $Id$
*/
-public class InstantiateTransformer<T> implements Transformer<Class<? extends
T>, T>, Serializable {
-
- /** The serial version */
- private static final long serialVersionUID = 3786388740793356347L;
+public class InstantiateTransformer<T> implements Transformer<Class<? extends
T>, T> {
/** Singleton instance that uses the no arg constructor */
@SuppressWarnings("rawtypes")
@@ -51,7 +52,7 @@ public class InstantiateTransformer<T> i
*/
@SuppressWarnings("unchecked")
public static <T> Transformer<Class<? extends T>, T>
instantiateTransformer() {
- return (Transformer<Class<? extends T>, T>) NO_ARG_INSTANCE;
+ return NO_ARG_INSTANCE;
}
/**
@@ -107,6 +108,7 @@ public class InstantiateTransformer<T> i
* @param input the input object to transform
* @return the transformed result
*/
+ @Override
public T transform(final Class<? extends T> input) {
try {
if (input == null) {
Modified:
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InvokerTransformer.java
URL:
http://svn.apache.org/viewvc/commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InvokerTransformer.java?rev=1714262&r1=1714261&r2=1714262&view=diff
==============================================================================
---
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InvokerTransformer.java
(original)
+++
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/InvokerTransformer.java
Fri Nov 13 20:08:45 2015
@@ -16,7 +16,6 @@
*/
package org.apache.commons.collections4.functors;
-import java.io.Serializable;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
@@ -25,14 +24,16 @@ import org.apache.commons.collections4.T
/**
* Transformer implementation that creates a new object instance by reflection.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be
serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer
to
+ * <a
href="https://issues.apache.org/jira/browse/COLLECTIONS-580";>COLLECTIONS-580</a>
+ * for more details.
*
* @since 3.0
* @version $Id$
*/
-public class InvokerTransformer<I, O> implements Transformer<I, O>,
Serializable {
-
- /** The serial version */
- private static final long serialVersionUID = -8653385846894047688L;
+public class InvokerTransformer<I, O> implements Transformer<I, O> {
/** The method name to call */
private final String iMethodName;
@@ -121,6 +122,7 @@ public class InvokerTransformer<I, O> im
* @param input the input object to transform
* @return the transformed result, null if null input
*/
+ @Override
@SuppressWarnings("unchecked")
public O transform(final Object input) {
if (input == null) {
Modified:
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java
URL:
http://svn.apache.org/viewvc/commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java?rev=1714262&r1=1714261&r2=1714262&view=diff
==============================================================================
---
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java
(original)
+++
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/PrototypeFactory.java
Fri Nov 13 20:08:45 2015
@@ -30,6 +30,12 @@ import org.apache.commons.collections4.F
/**
* Factory implementation that creates a new instance each time based on a
prototype.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards {@link Factory} instances returned by
+ * {@link #prototypeFactory(Object)} will <b>not</b> be serializable anymore
in order
+ * to prevent potential remote code execution exploits. Please refer to
+ * <a
href="https://issues.apache.org/jira/browse/COLLECTIONS-580";>COLLECTIONS-580</a>
+ * for more details.
*
* @since 3.0
* @version $Id$
@@ -91,10 +97,7 @@ public class PrototypeFactory {
/**
* PrototypeCloneFactory creates objects by copying a prototype using the
clone method.
*/
- static class PrototypeCloneFactory<T> implements Factory<T>, Serializable {
-
- /** The serial version */
- private static final long serialVersionUID = 5604271422565175555L;
+ static class PrototypeCloneFactory<T> implements Factory<T> {
/** The object to clone each time */
private final T iPrototype;
@@ -126,6 +129,7 @@ public class PrototypeFactory {
*
* @return the new object
*/
+ @Override
@SuppressWarnings("unchecked")
public T create() {
// needed for post-serialization
@@ -148,10 +152,7 @@ public class PrototypeFactory {
/**
* PrototypeSerializationFactory creates objects by cloning a prototype
using serialization.
*/
- static class PrototypeSerializationFactory<T extends Serializable>
implements Factory<T>, Serializable {
-
- /** The serial version */
- private static final long serialVersionUID = -8704966966139178833L;
+ static class PrototypeSerializationFactory<T extends Serializable>
implements Factory<T> {
/** The object to clone via serialization each time */
private final T iPrototype;
@@ -169,6 +170,7 @@ public class PrototypeFactory {
*
* @return the new object
*/
+ @Override
@SuppressWarnings("unchecked")
public T create() {
final ByteArrayOutputStream baos = new ByteArrayOutputStream(512);
Modified:
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/WhileClosure.java
URL:
http://svn.apache.org/viewvc/commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/WhileClosure.java?rev=1714262&r1=1714261&r2=1714262&view=diff
==============================================================================
---
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/WhileClosure.java
(original)
+++
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/WhileClosure.java
Fri Nov 13 20:08:45 2015
@@ -16,22 +16,22 @@
*/
package org.apache.commons.collections4.functors;
-import java.io.Serializable;
-
import org.apache.commons.collections4.Closure;
import org.apache.commons.collections4.Predicate;
/**
* Closure implementation that executes a closure repeatedly until a condition
is met,
* like a do-while or while loop.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards this class will <b>not</b> be
serializable anymore
+ * in order to prevent potential remote code execution exploits. Please refer
to
+ * <a
href="https://issues.apache.org/jira/browse/COLLECTIONS-580";>COLLECTIONS-580</a>
+ * for more details.
*
* @since 3.0
* @version $Id$
*/
-public class WhileClosure<E> implements Closure<E>, Serializable {
-
- /** Serial version UID */
- private static final long serialVersionUID = -3110538116913760108L;
+public class WhileClosure<E> implements Closure<E> {
/** The test condition */
private final Predicate<? super E> iPredicate;
@@ -81,6 +81,7 @@ public class WhileClosure<E> implements
*
* @param input the input object
*/
+ @Override
public void execute(final E input) {
if (iDoLoop) {
iClosure.execute(input);
Modified:
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/package-info.java
URL:
http://svn.apache.org/viewvc/commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/package-info.java?rev=1714262&r1=1714261&r2=1714262&view=diff
==============================================================================
---
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/package-info.java
(original)
+++
commons/proper/collections/trunk/src/main/java/org/apache/commons/collections4/functors/package-info.java
Fri Nov 13 20:08:45 2015
@@ -21,6 +21,22 @@
* {@link org.apache.commons.collections4.Transformer Transformer} and
* {@link org.apache.commons.collections4.Factory Factory} interfaces.
* These provide simple callbacks for processing with collections.
+ * <p>
+ * <b>WARNING:</b> from v4.1 onwards several unsafe classes in this package
+ * will not be serializable anymore in order to prevent potential remote
+ * code execution exploits.
+ * <p>
+ * Classes considered to be unsafe are:
+ * <ul>
+ * <li>CloneTransformer</li>
+ * <li>ForClosure</li>
+ * <li>InstantiateFactory</li>
+ * <li>InstantiateTransformer</li>
+ * <li>InvokerTransformer</li>
+ * <li>PrototypeFactory$PrototypeCloneFactory</li>
+ * <li>PrototypeFactory$PrototypeSerializationFactory</li>
+ * <li>WhileClosure</li>
+ * </ul>
*
* @version $Id$
*/
