[
https://issues.apache.org/jira/browse/OFBIZ-10837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17043405#comment-17043405
]
ASF subversion and git services commented on OFBIZ-10837:
---------------------------------------------------------
Commit d31e13729346aee0767a998a13bacfea726c870e in ofbiz-framework's branch
refs/heads/release17.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=d31e137 ]
Fixed: Improve ObjectInputStream class (CVE-2019-0189)
Improved: no functional change
(OFBIZ-10837) (OFBIZ-11398)
Steps to generate:
1. Navigate to - catalog/control/EditProdCatalog?prodCatalogId=TestCatalog
2. Click on - CREATE SEO CATEGORY/PRODUCTS
3. The broken page will be displayed
The issue is due to the use of a GString in
createMissingCategoryAndProductAltUrls().
This:
result.successMessageList = [
"Categories updated: ${categoriesUpdated}",
"Products updated: ${productsUpdated}"
As it's common to use such expressions I have added the necessary
org.codehaus.groovy.runtime.GStringImpl groovy.lang.GString
to the white list of classes in listOfSafeObjectsForInputStream in
SafeObjectInputStream.properties
I finally have also decided to use this property as default and commented for
committers to be aware that it should be also put in DEFAULT_WHITELIST_PATTERN
in SafeObjectInputStream class. Because if, for a reason,
listOfSafeObjectsForInputStream is empty OFBiz will still be protected
Note: cherry picking did not work at all. The change was completely handled by
hand. Fortunately, it was just about copyin 2 files from trunk
Thanks: Dikpal Kanungo for reporting
> Improve ObjectInputStream class (CVE-2019-0189)
> -----------------------------------------------
>
> Key: OFBIZ-10837
> URL: https://issues.apache.org/jira/browse/OFBIZ-10837
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Release Branch 16.11, Release Branch 17.12, Release
> Branch 18.12
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
>
> As reported by FindBugs and Sonar, it's troubling (a Bad practice in
> Sonar[1], a code smell in Findbugs[2]) when extending to use the same name
> than the extended Object.[3]
> [1]
> [https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false]
> [2] [https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html]
> [3] Bug: The class name org.apache.ofbiz.base.util.ObjectInputStream shadows
> the simple name of the superclass java.io.ObjectInputStream
> This class has a simple name that is identical to that of its superclass,
> except that its superclass is in a different package (e.g., alpha.Foo extends
> beta.Foo). This can be exceptionally confusing, create lots of situations in
> which you have to look at import statements to resolve references and creates
> many opportunities to accidentally define methods that do not override
> methods in their superclasses.
> Rank: Troubling (14), confidence: High
> Pattern: NM_SAME_SIMPLE_NAME_AS_SUPERCLASS
> Type: Nm, Category: BAD_PRACTICE (Bad practice)
> {color:#de350b}2019/09/12: Initiallty this description was intentionnaly done
> to somehow hide a security issue (CVE-2019-0189) while allowing to fix the
> bug.{color}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
