[jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)

Mon, 24 Feb 2020 03:52:01 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-10837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17043441#comment-17043441
 ] 

ASF subversion and git services commented on OFBIZ-10837:
---------------------------------------------------------

Commit a0495b344e751abf2647d46627e1c7a102d752d1 in ofbiz-framework's branch 
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=a0495b3 ]

Fixed: Improve ObjectInputStream class (CVE-2019-0189)
Improved: no functional change
(OFBIZ-10837) (OFBIZ-11398)

I missed to update refactored UtilObject class


> Improve ObjectInputStream class (CVE-2019-0189)
> -----------------------------------------------
>
>                 Key: OFBIZ-10837
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10837
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Release Branch 16.11, Release Branch 17.12, Release 
> Branch 18.12
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 17.12.01, 16.11.06, 18.12.01
>
>
> As reported by FindBugs and Sonar, it's troubling (a Bad practice in 
> Sonar[1], a code smell in Findbugs[2]) when extending to use the same name 
> than the extended Object.[3]
> [1] 
> [https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false]
>  [2] [https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html]
>  [3] Bug: The class name org.apache.ofbiz.base.util.ObjectInputStream shadows 
> the simple name of the superclass java.io.ObjectInputStream
> This class has a simple name that is identical to that of its superclass, 
> except that its superclass is in a different package (e.g., alpha.Foo extends 
> beta.Foo). This can be exceptionally confusing, create lots of situations in 
> which you have to look at import statements to resolve references and creates 
> many opportunities to accidentally define methods that do not override 
> methods in their superclasses.
> Rank: Troubling (14), confidence: High
>  Pattern: NM_SAME_SIMPLE_NAME_AS_SUPERCLASS
>  Type: Nm, Category: BAD_PRACTICE (Bad practice)
> {color:#de350b}2019/09/12: Initiallty this description was intentionnaly done 
> to somehow hide a security issue (CVE-2019-0189) while allowing to fix the 
> bug.{color}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to