[ofbiz-framework] branch release18.12 updated: Improved: Improve ObjectInputStream denyList (OFBIZ-12221)

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[ofbiz-framework] branch release18.12 updated: Improved: Improve ObjectInputStream denyList (OFBIZ-12221)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

The following commit(s) were added to refs/heads/release18.12 by this push:
     new 544d207  Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
544d207 is described below

commit 544d207cbd2c0ec3c4493b0057207fa80d8088b0
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Apr 5 17:03:12 2021 +0200

    Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
    Prevents generics markup in string type names.
    Conflict handled by hand
 .../main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index 5dc785a..5c1b8b6 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -65,8 +65,9 @@ public final class SafeObjectInputStream extends ObjectInputStream {
     protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
         String className = classDesc.getName();
-        // BlackList exploits; eg: don't allow RMI here
-        if (className.contains("java.rmi")) {
+        // DenyList
+        if (className.contains("java.rmi") // Don't allow RMI
+                || className.contains("<")) { // Prevent generics markup in string type names
             throw new InvalidClassException(className, "Unauthorized deserialisation attempt");
         if (!whitelistPattern.matcher(className).find()) {