[ofbiz-framework] branch release18.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)

Mon, 24 Feb 2020 03:51:01 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new a0495b3  Fixed: Improve ObjectInputStream class (CVE-2019-0189) 
Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)
a0495b3 is described below

commit a0495b344e751abf2647d46627e1c7a102d752d1
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Feb 24 12:50:15 2020 +0100

    Fixed: Improve ObjectInputStream class (CVE-2019-0189)
    Improved: no functional change
    (OFBIZ-10837) (OFBIZ-11398)
    
    I missed to update refactored UtilObject class
---
 .../org/apache/ofbiz/base/util/UtilObject.java     | 31 +++++++---------------
 1 file changed, 9 insertions(+), 22 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
index d73aa55..eb7666a 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
@@ -24,11 +24,8 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectOutputStream;
 import java.lang.reflect.Array;
-import java.util.Arrays;
 import java.util.Iterator;
-import java.util.List;
 import java.util.ServiceLoader;
-import java.util.stream.Collectors;
 
 import org.apache.ofbiz.base.lang.Factory;
 import org.apache.ofbiz.base.lang.SourceMonitored;
@@ -102,27 +99,17 @@ public final class UtilObject {
         return obj;
     }
 
-    /** Deserialize a byte array back to an object */
+    /**
+     * Deserializes a byte array back to an object.
+     *
+     * @param bytes  the array of bytes
+     * @return the deserialized object.
+     * @throws ClassNotFoundException when the class can not be deserialized.
+     * @throws IOException when a general Input/Output error happen.
+     */
     public static Object getObjectException(byte[] bytes) throws 
ClassNotFoundException, IOException {
-        String listOfSafeObjectsForInputStream = 
UtilProperties.getPropertyValue("SafeObjectInputStream",
-                "ListOfSafeObjectsForInputStream");
-        List<String> listOfSafeObjects = null;
-        if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
-            listOfSafeObjects = 
Arrays.stream(listOfSafeObjectsForInputStream.split(","))
-                    .map(String::trim)
-                    .filter(s -> !s.isEmpty())
-                    .collect(Collectors.toList());
-        } else {
-            listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo", 
"SerializationInjector",
-                    "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",
-                    "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*");
-        } // "foo" and, "SerializationInjector" are used in 
UtilObjectTests::testGetObject
-        
         try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
-                SafeObjectInputStream wois = new SafeObjectInputStream(bis,
-                        Thread.currentThread().getContextClassLoader(),
-                        listOfSafeObjects)) {;
-                        
+                SafeObjectInputStream wois = new SafeObjectInputStream(bis)) {
             return wois.readObject();
         }
     }

Reply via email to