svn commit: r1869032 - in /ofbiz/ofbiz-framework/branches/release17.12: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1869032 - in /ofbiz/ofbiz-framework/branches/release17.12: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

jleroux@apache.org
Author: jleroux
Date: Sun Oct 27 09:35:29 2019
New Revision: 1869032

URL: http://svn.apache.org/viewvc?rev=1869032&view=rev
Log:
"Applied fix from trunk for revision: 1869001"
------------------------------------------------------------------------
r1869001 | mthl | 2019-10-26 16:42:02 +0200 (sam. 26 oct. 2019) | 9 lignes

Fixed: Handle whitelist of serializable classes from properties
(OFBIZ-11261)

There was a bug regarding the way the ‘ListOfSafeObjectsForInputStream’ value
defined in the “SafeObjectInputStream.properties” file was handled.  Mistakenly
only one class identifier was allowed.

Some unit tests have been added to check that the identified bug is fixed.

------------------------------------------------------------------------

Modified:
    ofbiz/ofbiz-framework/branches/release17.12/   (props changed)
    ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Propchange: ofbiz/ofbiz-framework/branches/release17.12/
------------------------------------------------------------------------------
  Merged /ofbiz/ofbiz-framework/trunk:r1869001,1869003

Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java?rev=1869032&r1=1869031&r2=1869032&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java (original)
+++ ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Sun Oct 27 09:35:29 2019
@@ -24,9 +24,11 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectOutputStream;
 import java.lang.reflect.Array;
+import java.util.Arrays;
 import java.util.Iterator;
 import java.util.List;
 import java.util.ServiceLoader;
+import java.util.stream.Collectors;
 
 import org.apache.ofbiz.base.lang.Factory;
 import org.apache.ofbiz.base.lang.SourceMonitored;
@@ -106,7 +108,10 @@ public final class UtilObject {
                 "ListOfSafeObjectsForInputStream");
         List<String> listOfSafeObjects = null;
         if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
-            listOfSafeObjects = java.util.Arrays.asList(listOfSafeObjectsForInputStream);
+            listOfSafeObjects = Arrays.stream(listOfSafeObjectsForInputStream.split(","))
+                    .map(String::trim)
+                    .filter(s -> !s.isEmpty())
+                    .collect(Collectors.toList());
         } else {
             listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo", "SerializationInjector",
                     "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",