[ofbiz-framework] branch release18.12 updated: Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)

Fri, 05 Feb 2021 02:37:01 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new ee51eb7  Fixed: Adds a blacklist (to be renamed soon to denylist) in 
Java serialisation (OFBIZ-12167)
ee51eb7 is described below

commit ee51eb7360108f50d4b3d4280317dc810b5ec2c1
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Feb 5 11:02:28 2021 +0100

    Fixed: Adds a blacklist (to be renamed soon to denylist) in Java 
serialisation (OFBIZ-12167)
    
    Adds an example based on RMI which is known to be a problem
---
 .../org/apache/ofbiz/base/util/SafeObjectInputStream.java   | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index d50cfbf..a24e027 100644
--- 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -63,9 +63,18 @@ public final class SafeObjectInputStream extends 
ObjectInputStream {
 
     @Override
     protected Class<?> resolveClass(ObjectStreamClass classDesc) throws 
IOException, ClassNotFoundException {
-        if (!whitelistPattern.matcher(classDesc.getName()).find()) {
+        String className = classDesc.getName();
+        // BlackList exploits; eg: don't allow RMI here
+        if (className.contains("java.rmi.server")) {
+            Debug.logWarning("***Incompatible class***: "
+                    + classDesc.getName()
+                    + ". java.rmi.server classes are not allowed for security 
reason",
+                    "SafeObjectInputStream");
+            return null;
+        }
+        if (!whitelistPattern.matcher(className).find()) {
             // DiskFileItem, FileItemHeadersImpl are not serializable.
-            if (classDesc.getName().contains("org.apache.commons.fileupload")) 
{
+            if (className.contains("org.apache.commons.fileupload")) {
                 return null;
             }
             Debug.logWarning("***Incompatible class***: "

Reply via email to