This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 544d207 Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
544d207 is described below
commit 544d207cbd2c0ec3c4493b0057207fa80d8088b0
Author: Jacques Le Roux <[email protected]>
AuthorDate: Mon Apr 5 17:03:12 2021 +0200
Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
Prevents generics markup in string type names.
Conflict handled by hand
framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
---
.../main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index 5dc785a..5c1b8b6 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -65,8 +65,9 @@ public final class SafeObjectInputStream extends
ObjectInputStream {
@Override
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws
IOException, ClassNotFoundException {
String className = classDesc.getName();
- // BlackList exploits; eg: don't allow RMI here
- if (className.contains("java.rmi")) {
+ // DenyList
+ if (className.contains("java.rmi") // Don't allow RMI
+ || className.contains("<")) { // Prevent generics markup in
string type names
throw new InvalidClassException(className, "Unauthorized
deserialisation attempt");
}
if (!whitelistPattern.matcher(className).find()) {
