Hi Mukul, I would suggest reviewing the documentation for java.io.Serializable [1] for details about readObject()/writeObject(). This code gets called by Java when a user reads or writes a DOM using Java object serialization.
The conversions between ArrayList and Vector in NamedNodeMapImpl are there for compatibility reasons. Casting to Vector when creating the ArrayList in readObject() prevents other unexpected List types from being injected into the stream. Thanks. [1] https://docs.oracle.com/javase/8/docs/api/java/io/Serializable.html Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: [email protected] E-mail: [email protected] Mukul Gandhi <[email protected]> wrote on 04/20/2018 12:01:15 AM: > Hi David, > The "private void readObject(...)" method you've cited is not > called from anywhere. i.e its a unused method/redundant code. > > Please correct me if I'm wrong. > > On Thu, Apr 19, 2018 at 11:46 PM, David Dillard <[email protected] > > wrote: > Hi, > > Tuesday, Oracle released its Quarterly Critical Patch Update, which included > some fixes for Java. I saw that one of those fixes was for JAXP > (CVE-2018-2799). Going to Red Hat’s CVE database to get a real description > of the issue it says “It was discovered that the implementation of > the NamedNodeMapImpl class in the JAXP component of OpenJDK did not > limit the amount of memory allocated when creating object instance > from a serialized form. A specially-crafted input could cause a > Java application to use an excessive amount of memory when > deserialized.” It also includes the OpenJDK issue #. Looking for > that change in the OpenJDK repository it shows a small change in > readObject that is not found in the current Apache Xerces code. > > Current Xerces code: > > private void readObject(ObjectInputStream in) > throws IOException, ClassNotFoundException { > in.defaultReadObject(); > if (nodes != null) { > nodes = new ArrayList(nodes); > } > } > > > Current OpenJDK code: > > private void readObject(ObjectInputStream in) > throws IOException, ClassNotFoundException { > in.defaultReadObject(); > if (nodes != null) { > // cast to Vector is required > nodes = new ArrayList((Vector)nodes); > } > } > > > Should this modification be made to Xerces? Do people agree that > it’s a vulnerability? > > > -- > Regards, > Mukul Gandhi
