[ofbiz-framework] branch release18.12 updated: Improved: Prevent possible DOS attack done using Java deserialisation (OFBIZ-12592)

Thu, 21 Apr 2022 03:03:13 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 1ced939556 Improved: Prevent possible DOS attack done using Java 
deserialisation (OFBIZ-12592)
1ced939556 is described below

commit 1ced939556bab8b0be3fbc3ba7f22a70bce4f267
Author: Jacques Le Roux <[email protected]>
AuthorDate: Thu Apr 21 12:02:47 2022 +0200

    Improved: Prevent possible DOS attack done using Java deserialisation 
(OFBIZ-12592)
    
    In previous commit I used Gradle application plugin and removed the
    jvmArguments var used below in build.gradle. This restores jvmArguments, 
fixes
    a problem with mainClassName missing in application plugin, simplifies
    applicationDefaultJvmArgs and move ext.ofbizMainClass to a more logical 
place
---
 build.gradle | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/build.gradle b/build.gradle
index 971975758b..fbac44e145 100644
--- a/build.gradle
+++ b/build.gradle
@@ -42,7 +42,7 @@ apply plugin: 'java'
 apply plugin: 'groovy'
 apply plugin: 'eclipse'
 apply plugin: 'maven-publish'
-apply plugin: "at.bxm.svntools"
+apply plugin: 'at.bxm.svntools'
 apply plugin: 'org.asciidoctor.convert'
 apply plugin: 'checkstyle'
 
@@ -51,14 +51,19 @@ apply from: 'common.gradle'
 // global properties
 ext.os = System.getProperty('os.name').toLowerCase()
 ext.pluginsDir = "${rootDir}/plugins"
+ext.ofbizMainClass = 'org.apache.ofbiz.base.start.Start'
+
+// java settings
+List jvmArguments = ['-Xms128M', '-Xmx1024M', 
'-Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000']
+if (project.hasProperty('jvmArgs')) {
+    jvmArguments = jvmArgs.tokenize()
+}
 
 application {
+    mainClassName = 'org.apache.ofbiz.base.start.Start'
     // jdk.serialFilter is to "Prevent possible DOS attack done using Java 
deserialisation" (OFBIZ-12592)
-    applicationDefaultJvmArgs = project.hasProperty('jvmArgs')
-            ? jvmArgs.tokenize()
-            : 
['-Xms128M','-Xmx1024M','-Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000']
+    applicationDefaultJvmArgs = 
['-Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000']
 }
-ext.ofbizMainClass = 'org.apache.ofbiz.base.start.Start'
 
 javadoc {
     title='OFBiz R18.12 API'

Reply via email to