[ofbiz-framework] branch trunk updated: Improved: Prevent possible DOS attack done using Java deserialisation (OFBIZ-12592)

Thu, 21 Apr 2022 01:02:31 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 389f90cbb6 Improved: Prevent possible DOS attack done using Java 
deserialisation (OFBIZ-12592)
389f90cbb6 is described below

commit 389f90cbb60aeee3a9175e6b0fe999c28d82aa42
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Apr 21 05:59:48 2022 +0200

    Improved: Prevent possible DOS attack done using Java deserialisation 
(OFBIZ-12592)
    
    The previous commit was twice wrong:
    1. System properties in gradle.properties are not defined using -D but using
    systemProp.
    2. Anyway systemProp. is defining system properties only available in JVM 
where
    Gradle is running, not the application you run. For that you need to use
    applicationDefaultJvmArgs in application in the main build.gradle.
    
    Here is the system property for jdk.serialFilter
---
 build.gradle      | 6 +++---
 gradle.properties | 2 --
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/build.gradle b/build.gradle
index 06cd6fdab8..842b64c00c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -80,9 +80,10 @@ ext.pluginsDir = "${rootDir}/plugins"
 
 application {
     mainClassName = 'org.apache.ofbiz.base.start.Start'
+    // jdk.serialFilter is to "Prevent possible DOS attack done using Java 
deserialisation" (OFBIZ-12592)
     applicationDefaultJvmArgs = project.hasProperty('jvmArgs')
             ? jvmArgs.tokenize()
-            : ['-Xms128M', '-Xmx1024M']
+            : 
['-Xms128M','-Xmx1024M','-Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000']
 }
 
 distributions.main.contents.from(rootDir) {
@@ -1148,7 +1149,6 @@ tasks.startScripts {
                 
unixScript.text.replace('CLASSPATH=$APP_HOME/lib','CLASSPATH=$APP_HOME/config/:$APP_HOME/lib-extra/*:$APP_HOME/lib')
         // Alter the start script for Windows systems.
         windowsScript.text =
-                windowsScript.text.replace('CLASSPATH=%APP_HOME%\\lib',
- 'CLASSPATH=%APP_HOME%\\conf\\;%APP_HOME%\\lib-extra\\*;%APP_HOME%\\lib')
+                
windowsScript.text.replace('CLASSPATH=%APP_HOME%\\lib','CLASSPATH=%APP_HOME%\\conf\\;%APP_HOME%\\lib-extra\\*;%APP_HOME%\\lib')
     }
 }
diff --git a/gradle.properties b/gradle.properties
index 39ea90a1b2..dbb3a5708b 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -21,5 +21,3 @@ org.gradle.console=plain
 # If you experience heap memory problems during the Gradle build, for example
 # building with integrated plugins, the following setting might help
 #org.gradle.jvmargs=-Xms128m -Xmx1024m -XX:+CMSClassUnloadingEnabled
-# This is for "Prevent possible DOS attack done using Java deserialisation" 
(OFBIZ-12592)
--Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000

Reply via email to