Skip to content

Commit

Permalink
Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
Browse files Browse the repository at this point in the history
Prevents generics markup in string type names.
  • Loading branch information
JacquesLeRoux committed Apr 5, 2021
1 parent e786da4 commit fcc0078
Showing 1 changed file with 3 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,9 @@ public SafeObjectInputStream(InputStream in) throws IOException {
@Override
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
String className = classDesc.getName();
// DenyList exploits; eg: don't allow RMI here
if (className.contains("java.rmi")) {
// DenyList
if (className.contains("java.rmi") // Don't allow RMI
|| className.contains("<")) { // Prevent generics markup in string type names
throw new InvalidClassException(className, "Unauthorized deserialisation attempt");
}
if (!allowlistPattern.matcher(className).find()) {
Expand Down

0 comments on commit fcc0078

Please sign in to comment.