Skip to content

Commit 1bc8a20

Browse files
committed
Improved: Improve UtilObject class (OFBIZ-12216)
Removes "DiskFileItem, FileItemHeadersImpl are not serializable" case. It does not appear in trunk. Handling with exception Rather than returning null cleans UtilObject class. Restrict unauthorized deserialisations to java.rmi instead of java.rmi.server
1 parent 643b9c7 commit 1bc8a20

File tree

2 files changed

+6
-18
lines changed

2 files changed

+6
-18
lines changed

framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java

Lines changed: 4 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424

2525
import java.io.IOException;
2626
import java.io.InputStream;
27+
import java.io.InvalidClassException;
2728
import java.io.ObjectInputStream;
2829
import java.io.ObjectStreamClass;
2930
import java.util.Arrays;
@@ -64,20 +65,11 @@ public SafeObjectInputStream(InputStream in) throws IOException {
6465
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
6566
String className = classDesc.getName();
6667
// DenyList exploits; eg: don't allow RMI here
67-
if (className.contains("java.rmi.server")) {
68-
Debug.logWarning("***Incompatible class***: "
69-
+ classDesc.getName()
70-
+ ". java.rmi.server classes are not allowed for security reason",
71-
"SafeObjectInputStream");
72-
return null;
68+
if (className.contains("java.rmi")) {
69+
throw new InvalidClassException(className, "Unauthorized deserialisation attempt");
7370
}
7471
if (!allowlistPattern.matcher(className).find()) {
75-
// DiskFileItem, FileItemHeadersImpl are not serializable.
76-
if (className.contains("org.apache.commons.fileupload")) {
77-
return null;
78-
}
79-
Debug.logWarning("***Incompatible class***: "
80-
+ classDesc.getName()
72+
Debug.logWarning("***Incompatible class***: " + className
8173
+ ". Please see OFBIZ-10837. Report to dev ML if you use OFBiz without changes. "
8274
+ "Else follow https://s.apache.org/45war",
8375
"SafeObjectInputStream");

framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -77,11 +77,7 @@ public static Object getObject(byte[] bytes) {
7777
Object obj = null;
7878
try {
7979
obj = getObjectException(bytes);
80-
// DiskFileItem, FileItemHeadersImpl are not serializable. So SafeObjectInputStream::resolveClass return null
81-
if (obj == null) {
82-
return null;
83-
}
84-
} catch (ClassNotFoundException | IOException e) {
80+
} catch (IOException | ClassCastException | ClassNotFoundException e) {
8581
Debug.logError(e, MODULE);
8682
}
8783
return obj;
@@ -94,7 +90,7 @@ public static Object getObject(byte[] bytes) {
9490
* @throws ClassNotFoundException when the class can not be deserialized.
9591
* @throws IOException when a general Input/Output error happen.
9692
*/
97-
public static Object getObjectException(byte[] bytes) throws ClassNotFoundException, IOException {
93+
public static Object getObjectException(byte[] bytes) throws ClassCastException, ClassNotFoundException, IOException {
9894
try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
9995
SafeObjectInputStream wois = new SafeObjectInputStream(bis)) {
10096
return wois.readObject();

0 commit comments

Comments
 (0)