|
24 | 24 |
|
25 | 25 | import java.io.IOException;
|
26 | 26 | import java.io.InputStream;
|
| 27 | +import java.io.InvalidClassException; |
27 | 28 | import java.io.ObjectInputStream;
|
28 | 29 | import java.io.ObjectStreamClass;
|
29 | 30 | import java.util.Arrays;
|
@@ -64,20 +65,11 @@ public SafeObjectInputStream(InputStream in) throws IOException {
|
64 | 65 | protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
|
65 | 66 | String className = classDesc.getName();
|
66 | 67 | // DenyList exploits; eg: don't allow RMI here
|
67 |
| - if (className.contains("java.rmi.server")) { |
68 |
| - Debug.logWarning("***Incompatible class***: " |
69 |
| - + classDesc.getName() |
70 |
| - + ". java.rmi.server classes are not allowed for security reason", |
71 |
| - "SafeObjectInputStream"); |
72 |
| - return null; |
| 68 | + if (className.contains("java.rmi")) { |
| 69 | + throw new InvalidClassException(className, "Unauthorized deserialisation attempt"); |
73 | 70 | }
|
74 | 71 | if (!allowlistPattern.matcher(className).find()) {
|
75 |
| - // DiskFileItem, FileItemHeadersImpl are not serializable. |
76 |
| - if (className.contains("org.apache.commons.fileupload")) { |
77 |
| - return null; |
78 |
| - } |
79 |
| - Debug.logWarning("***Incompatible class***: " |
80 |
| - + classDesc.getName() |
| 72 | + Debug.logWarning("***Incompatible class***: " + className |
81 | 73 | + ". Please see OFBIZ-10837. Report to dev ML if you use OFBiz without changes. "
|
82 | 74 | + "Else follow https://s.apache.org/45war",
|
83 | 75 | "SafeObjectInputStream");
|
|
0 commit comments