[ofbiz-framework] branch release22.01 updated: Improved: Prevent possible DOS attack done using Java deserialisation (OFBIZ-12592)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release22.01 by this push:
     new 957a088f57 Improved: Prevent possible DOS attack done using Java 
deserialisation (OFBIZ-12592)
957a088f57 is described below

commit 957a088f572fb4e58da3357ac8e5e9138f4efde2
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Apr 21 05:59:48 2022 +0200

    Improved: Prevent possible DOS attack done using Java deserialisation 
(OFBIZ-12592)
    
    The previous commit was twice wrong:
    1. System properties in gradle.properties are not defined using -D but using
    systemProp.
    2. Anyway systemProp. is defining system properties only available in JVM 
where
    Gradle is running, not the application you run. For that you need to use
    applicationDefaultJvmArgs in application in the main build.gradle.
    
    Here is the system property for jdk.serialFilter
---
 build.gradle      | 6 +++---
 gradle.properties | 2 --
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/build.gradle b/build.gradle
index 6e001381c1..62aeff801f 100644
--- a/build.gradle
+++ b/build.gradle
@@ -80,9 +80,10 @@ ext.pluginsDir = "${rootDir}/plugins"
 
 application {
     mainClassName = 'org.apache.ofbiz.base.start.Start'
+    // jdk.serialFilter is to "Prevent possible DOS attack done using Java 
deserialisation" (OFBIZ-12592)
     applicationDefaultJvmArgs = project.hasProperty('jvmArgs')
             ? jvmArgs.tokenize()
-            : ['-Xms128M', '-Xmx1024M']
+            : 
['-Xms128M','-Xmx1024M','-Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000']
 }
 
 distributions.main.contents.from(rootDir) {
@@ -1148,7 +1149,6 @@ tasks.startScripts {
                 
unixScript.text.replace('CLASSPATH=$APP_HOME/lib','CLASSPATH=$APP_HOME/config/:$APP_HOME/lib-extra/*:$APP_HOME/lib')
         // Alter the start script for Windows systems.
         windowsScript.text =
-                windowsScript.text.replace('CLASSPATH=%APP_HOME%\\lib',
- 'CLASSPATH=%APP_HOME%\\conf\\;%APP_HOME%\\lib-extra\\*;%APP_HOME%\\lib')
+                
windowsScript.text.replace('CLASSPATH=%APP_HOME%\\lib','CLASSPATH=%APP_HOME%\\conf\\;%APP_HOME%\\lib-extra\\*;%APP_HOME%\\lib')
     }
 }
diff --git a/gradle.properties b/gradle.properties
index 39ea90a1b2..dbb3a5708b 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -21,5 +21,3 @@ org.gradle.console=plain
 # If you experience heap memory problems during the Gradle build, for example
 # building with integrated plugins, the following setting might help
 #org.gradle.jvmargs=-Xms128m -Xmx1024m -XX:+CMSClassUnloadingEnabled
-# This is for "Prevent possible DOS attack done using Java deserialisation" 
(OFBIZ-12592)
--Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000