This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 3f60efb Improved: Improve ObjectInputStream class
3f60efb is described below
commit 3f60efb343a11723aa56c1bc1f5afac3a2f26e9f
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sat May 2 12:32:07 2020 +0200
Improved: Improve ObjectInputStream class
(OFBIZ-10837)
While working on OFBIZ-11633 I crossed an issue in R18 (not in trunk) where
objects from org.apache.commons.fileupload (namely DiskFileItem and
FileItemHeadersImpl) are not serializable.
While at it I decided to handle at the SafeObjectInputStream level
the "fileItems" case I already crossed with, OFBIZ-11534, in RequestHandler
It has an inconvenient in R18 (not in trunk) where ObjectInputStream can't
handle a null class (of course) and so return a benign exception in log
(only).
I believe it's better to handle these specific cases at the lower possible
level in all supported branches.
---
.../main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java | 4 ++++
.../base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java | 4 ++++
.../src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java | 4 ----
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index 2aebcde..d50cfbf 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -64,6 +64,10 @@ public final class SafeObjectInputStream extends
ObjectInputStream {
@Override
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws
IOException, ClassNotFoundException {
if (!whitelistPattern.matcher(classDesc.getName()).find()) {
+ // DiskFileItem, FileItemHeadersImpl are not serializable.
+ if (classDesc.getName().contains("org.apache.commons.fileupload"))
{
+ return null;
+ }
Debug.logWarning("***Incompatible class***: "
+ classDesc.getName()
+ ". Please see OFBIZ-10837. Report to dev ML if you use
OFBiz without changes. "
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
index 7375574..1950e12 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
@@ -77,6 +77,10 @@ public final class UtilObject {
Object obj = null;
try {
obj = getObjectException(bytes);
+ // DiskFileItem, FileItemHeadersImpl are not serializable. So
SafeObjectInputStream::resolveClass return null
+ if (obj == null) {
+ return null;
+ }
} catch (ClassNotFoundException | IOException e) {
Debug.logError(e, MODULE);
}
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 84f91e4..6918fcc 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -878,10 +878,6 @@ public class RequestHandler {
}
}
if (reqAttrMap.size() > 0) {
- // fileItems is not serializable.
- // It contains a temporary DiskFileItem with a null value than
can't be detected by UtilMisc::makeMapSerializable
- // So it must be removed from reqAttrMap. See OFBIZ-11534
- reqAttrMap.remove("fileItems");
byte[] reqAttrMapBytes = UtilObject.getBytes(reqAttrMap);
if (reqAttrMapBytes != null) {
req.getSession().setAttribute("_REQ_ATTR_MAP_",
StringUtil.toHexString(reqAttrMapBytes));
