Skip to content

Commit af9ed4e

Browse files
JacquesLeRouxJacquesLeRoux
committed
Fixed: Adds a blacklist (to be renamed soon to denylist) in Java serialisation (OFBIZ-12167)
Adds an example based on RMI which is known to be a problem
1 parent 11634ae commit af9ed4e

File tree

1 file changed

+11
-2
lines changed

1 file changed

+11
-2
lines changed

framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -62,9 +62,18 @@ public SafeObjectInputStream(InputStream in) throws IOException {
6262

6363
@Override
6464
protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
65-
if (!whitelistPattern.matcher(classDesc.getName()).find()) {
65+
String className = classDesc.getName();
66+
// BlackList exploits; eg: don't allow RMI here
67+
if (className.contains("java.rmi.server")) {
68+
Debug.logWarning("***Incompatible class***: "
69+
+ classDesc.getName()
70+
+ ". java.rmi.server classes are not allowed for security reason",
71+
"SafeObjectInputStream");
72+
return null;
73+
}
74+
if (!whitelistPattern.matcher(className).find()) {
6675
// DiskFileItem, FileItemHeadersImpl are not serializable.
67-
if (classDesc.getName().contains("org.apache.commons.fileupload")) {
76+
if (className.contains("org.apache.commons.fileupload")) {
6877
return null;
6978
}
7079
Debug.logWarning("***Incompatible class***: "

0 commit comments

Comments
 (0)