[
https://issues.apache.org/jira/browse/OFBIZ-10837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl updated OFBIZ-10837:
----------------------------------
Fix Version/s: (was: 17.12.02)
17.12.01
> Improve ObjectInputStream class (CVE-2019-0189)
> -----------------------------------------------
>
> Key: OFBIZ-10837
> URL: https://issues.apache.org/jira/browse/OFBIZ-10837
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Release Branch 16.11, Release Branch 18.12, Release
> Branch 17.12
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 16.11.06, 18.12.01, 17.12.01
>
>
> As reported by FindBugs and Sonar, it's troubling (a Bad practice in
> Sonar[1], a code smell in Findbugs[2]) when extending to use the same name
> than the extended Object.[3]
> [1]
> [https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false]
> [2] [https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html]
> [3] Bug: The class name org.apache.ofbiz.base.util.ObjectInputStream shadows
> the simple name of the superclass java.io.ObjectInputStream
> This class has a simple name that is identical to that of its superclass,
> except that its superclass is in a different package (e.g., alpha.Foo extends
> beta.Foo). This can be exceptionally confusing, create lots of situations in
> which you have to look at import statements to resolve references and creates
> many opportunities to accidentally define methods that do not override
> methods in their superclasses.
> Rank: Troubling (14), confidence: High
> Pattern: NM_SAME_SIMPLE_NAME_AS_SUPERCLASS
> Type: Nm, Category: BAD_PRACTICE (Bad practice)
> {color:#de350b}2019/09/12: Initiallty this description was intentionnaly done
> to somehow hide a security issue (CVE-2019-0189) while allowing to fix the
> bug.{color}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
