This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 27c91802fcd83ef8b466d189fe8a7cbad22cc8e3 Author: Jacques Le Roux <[email protected]> AuthorDate: Sat May 2 12:32:07 2020 +0200 Improved: Improve ObjectInputStream class (OFBIZ-10837) While working on OFBIZ-11633 I crossed an issue in R18 (not in trunk) where objects from org.apache.commons.fileupload (namely DiskFileItem and FileItemHeadersImpl) are not serializable. While at it I decided to handle at the SafeObjectInputStream level the "fileItems" case I already crossed with, OFBIZ-11534, in RequestHandler It has an inconvenient in R18 (not in trunk) where ObjectInputStream can't handle a null class (of course) and so return a benign exception in log (only). I believe it's better to handle these specific cases at the lower possible level in all supported branches. --- .../main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java | 4 ++++ .../base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java | 4 ++++ .../src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java | 4 ---- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java index 2aebcde..d50cfbf 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java @@ -64,6 +64,10 @@ public final class SafeObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { if (!whitelistPattern.matcher(classDesc.getName()).find()) { + // DiskFileItem, FileItemHeadersImpl are not serializable. + if (classDesc.getName().contains("org.apache.commons.fileupload")) { + return null; + } Debug.logWarning("***Incompatible class***: " + classDesc.getName() + ". Please see OFBIZ-10837. Report to dev ML if you use OFBiz without changes. " diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java index eb7666a..e194a2c 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java @@ -93,6 +93,10 @@ public final class UtilObject { Object obj = null; try { obj = getObjectException(bytes); + // DiskFileItem, FileItemHeadersImpl are not serializable. So SafeObjectInputStream::resolveClass return null + if (obj == null) { + return null; + } } catch (ClassNotFoundException | IOException e) { Debug.logError(e, module); } diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java index f239f20..52fa77f 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java @@ -835,10 +835,6 @@ public class RequestHandler { } } if (reqAttrMap.size() > 0) { - // fileItems is not serializable. - // It contains a temporary DiskFileItem with a null value than can't be detected by UtilMisc::makeMapSerializable - // So it must be removed from reqAttrMap. See OFBIZ-11534 - reqAttrMap.remove("fileItems"); byte[] reqAttrMapBytes = UtilObject.getBytes(reqAttrMap); if (reqAttrMapBytes != null) { req.getSession().setAttribute("_REQ_ATTR_MAP_", StringUtil.toHexString(reqAttrMapBytes));
