[COLLECTIONS-580] Add fix for PrototypeFactory as well. git-svn-id: https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X@1713849 13f79535-47bb-0310-9956-ffa450edef68
Project: http://git-wip-us.apache.org/repos/asf/commons-collections/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-collections/commit/d9a00134 Tree: http://git-wip-us.apache.org/repos/asf/commons-collections/tree/d9a00134 Diff: http://git-wip-us.apache.org/repos/asf/commons-collections/diff/d9a00134 Branch: refs/heads/COLLECTIONS_3_2_X Commit: d9a00134f16d685bea11b2b12de824845e6473e3 Parents: bce4d02 Author: Thomas Neidhart <t...@apache.org> Authored: Wed Nov 11 14:21:37 2015 +0000 Committer: Thomas Neidhart <t...@apache.org> Committed: Wed Nov 11 14:21:37 2015 +0000 ---------------------------------------------------------------------- .../collections/functors/PrototypeFactory.java | 46 ++++++++++++++++++ .../commons/collections/functors/package.html | 2 + .../commons/collections/functors/TestAll.java | 1 + .../functors/TestPrototypeFactory.java | 49 ++++++++++++++++++++ 4 files changed, 98 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/commons-collections/blob/d9a00134/src/java/org/apache/commons/collections/functors/PrototypeFactory.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java index 5ba69eb..e28efb2 100644 --- a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java +++ b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java @@ -49,6 +49,16 @@ public class PrototypeFactory { * <li>public copy constructor * <li>serialization clone * <ul> + * <p> + * <b>WARNING:</b> from v3.2.2 onwards this method will return a {@code Factory} + * that will throw an {@link UnsupportedOperationException} when trying to serialize + * or de-serialize it to prevent potential remote code execution exploits. + * <p> + * In order to re-enable serialization support the following system property + * can be used (via -Dproperty=true): + * <pre> + * org.apache.commons.collections.enableUnsafeSerialization + * </pre> * * @param prototype the object to clone each time in the factory * @return the <code>prototype</code> factory @@ -144,6 +154,24 @@ public class PrototypeFactory { throw new FunctorException("PrototypeCloneFactory: Clone method threw an exception", ex); } } + + /** + * Overrides the default writeObject implementation to prevent + * serialization (see COLLECTIONS-580). + */ + private void writeObject(ObjectOutputStream os) throws IOException { + FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class); + os.defaultWriteObject(); + } + + /** + * Overrides the default readObject implementation to prevent + * de-serialization (see COLLECTIONS-580). + */ + private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException { + FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class); + is.defaultReadObject(); + } } // PrototypeSerializationFactory @@ -204,6 +232,24 @@ public class PrototypeFactory { } } } + + /** + * Overrides the default writeObject implementation to prevent + * serialization (see COLLECTIONS-580). + */ + private void writeObject(ObjectOutputStream os) throws IOException { + FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class); + os.defaultWriteObject(); + } + + /** + * Overrides the default readObject implementation to prevent + * de-serialization (see COLLECTIONS-580). + */ + private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException { + FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class); + is.defaultReadObject(); + } } } http://git-wip-us.apache.org/repos/asf/commons-collections/blob/d9a00134/src/java/org/apache/commons/collections/functors/package.html ---------------------------------------------------------------------- diff --git a/src/java/org/apache/commons/collections/functors/package.html b/src/java/org/apache/commons/collections/functors/package.html index d73ee62..d678ddd 100644 --- a/src/java/org/apache/commons/collections/functors/package.html +++ b/src/java/org/apache/commons/collections/functors/package.html @@ -38,6 +38,8 @@ Classes considered to be unsafe are: <li>InstantiateFactory</li> <li>InstantiateTransformer</li> <li>InvokerTransformer</li> + <li>PrototypeFactory$PrototypeCloneFactory</li> + <li>PrototypeFactory$PrototypeSerializationFactory</li> <li>WhileClosure</li> </ul> <p> http://git-wip-us.apache.org/repos/asf/commons-collections/blob/d9a00134/src/test/org/apache/commons/collections/functors/TestAll.java ---------------------------------------------------------------------- diff --git a/src/test/org/apache/commons/collections/functors/TestAll.java b/src/test/org/apache/commons/collections/functors/TestAll.java index 5337628..14bcf7a 100644 --- a/src/test/org/apache/commons/collections/functors/TestAll.java +++ b/src/test/org/apache/commons/collections/functors/TestAll.java @@ -36,6 +36,7 @@ public class TestAll extends TestCase { suite.addTest(TestInstantiateTransformer.suite()); suite.addTest(TestInstantiateFactory.suite()); suite.addTest(TestInvokerTransformer.suite()); + suite.addTest(TestPrototypeFactory.suite()); suite.addTest(TestWhileClosure.suite()); return suite; } http://git-wip-us.apache.org/repos/asf/commons-collections/blob/d9a00134/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java ---------------------------------------------------------------------- diff --git a/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java b/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java new file mode 100644 index 0000000..1ac51e4 --- /dev/null +++ b/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java @@ -0,0 +1,49 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.commons.collections.functors; + +import java.util.ArrayList; + +import org.apache.commons.collections.Factory; + +import junit.framework.Test; +import junit.framework.TestSuite; + +public class TestPrototypeFactory extends AbstractTestSerialization { + + // conventional + // ------------------------------------------------------------------------ + + public TestPrototypeFactory(String testName) { + super(testName); + } + + public static Test suite() { + return new TestSuite(TestPrototypeFactory.class); + } + + // ------------------------------------------------------------------------ + + public Object makeObject() { + return PrototypeFactory.getInstance(new ArrayList()); + } + + public Class getTestClass() { + return Factory.class; + } + +}
