Author: jleroux
Date: Sun Oct 27 09:35:29 2019
New Revision: 1869032
URL: http://svn.apache.org/viewvc?rev=1869032&view=rev
Log:
"Applied fix from trunk for revision: 1869001"
------------------------------------------------------------------------
r1869001 | mthl | 2019-10-26 16:42:02 +0200 (sam. 26 oct. 2019) | 9 lignes
Fixed: Handle whitelist of serializable classes from properties
(OFBIZ-11261)
There was a bug regarding the way the ‘ListOfSafeObjectsForInputStream’ value
defined in the “SafeObjectInputStream.properties” file was handled. Mistakenly
only one class identifier was allowed.
Some unit tests have been added to check that the identified bug is fixed.
------------------------------------------------------------------------
Modified:
ofbiz/ofbiz-framework/branches/release17.12/ (props changed)
ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
Propchange: ofbiz/ofbiz-framework/branches/release17.12/
------------------------------------------------------------------------------
Merged /ofbiz/ofbiz-framework/trunk:r1869001,1869003
Modified:
ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
URL:
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java?rev=1869032&r1=1869031&r2=1869032&view=diff
==============================================================================
---
ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
(original)
+++
ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
Sun Oct 27 09:35:29 2019
@@ -24,9 +24,11 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Array;
+import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.ServiceLoader;
+import java.util.stream.Collectors;
import org.apache.ofbiz.base.lang.Factory;
import org.apache.ofbiz.base.lang.SourceMonitored;
@@ -106,7 +108,10 @@ public final class UtilObject {
"ListOfSafeObjectsForInputStream");
List<String> listOfSafeObjects = null;
if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
- listOfSafeObjects =
java.util.Arrays.asList(listOfSafeObjectsForInputStream);
+ listOfSafeObjects =
Arrays.stream(listOfSafeObjectsForInputStream.split(","))
+ .map(String::trim)
+ .filter(s -> !s.isEmpty())
+ .collect(Collectors.toList());
} else {
listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo",
"SerializationInjector",
"\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",
