commit 1bc8a206346f251c9076c2fb9babc896ba6bdf0d
author Jacques Le Roux <jacques.le.roux@les7arts.com> Tue Mar 30 09:25:33 2021 +0200
committer Jacques Le Roux <jacques.le.roux@les7arts.com> Tue Mar 30 12:29:54 2021 +0200
tree 1e50f779bf6afdff1bae630cb25da43a5cfbcdf0
parent 643b9c7ea7dfc3e9df4b80527bf83d162f3bc39f

Improved: Improve UtilObject class (OFBIZ-12216)

Removes "DiskFileItem, FileItemHeadersImpl are not serializable" case. It does
not appear in trunk.

Handling with exception Rather than returning null cleans UtilObject class.

Restrict unauthorized deserialisations to java.rmi instead of java.rmi.server

framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index e846081..8bab7be 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -24,6 +24,7 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.InvalidClassException;
 import java.io.ObjectInputStream;
 import java.io.ObjectStreamClass;
 import java.util.Arrays;
@@ -64,20 +65,11 @@
     protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
         String className = classDesc.getName();
         // DenyList exploits; eg: don't allow RMI here
-        if (className.contains("java.rmi.server")) {
-            Debug.logWarning("***Incompatible class***: "
-                    + classDesc.getName()
-                    + ". java.rmi.server classes are not allowed for security reason",
-                    "SafeObjectInputStream");
-            return null;
+        if (className.contains("java.rmi")) {
+            throw new InvalidClassException(className, "Unauthorized deserialisation attempt");
         }
         if (!allowlistPattern.matcher(className).find()) {
-            // DiskFileItem, FileItemHeadersImpl are not serializable.
-            if (className.contains("org.apache.commons.fileupload")) {
-                return null;
-            }
-            Debug.logWarning("***Incompatible class***: "
-                    + classDesc.getName()
+            Debug.logWarning("***Incompatible class***: " + className
                     + ". Please see OFBIZ-10837.  Report to dev ML if you use OFBiz without changes. "
                     + "Else follow https://s.apache.org/45war",
                     "SafeObjectInputStream");

framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
index 2dd1dcb..ad1de2f 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
@@ -77,11 +77,7 @@
         Object obj = null;
         try {
             obj = getObjectException(bytes);
-            // DiskFileItem, FileItemHeadersImpl are not serializable. So SafeObjectInputStream::resolveClass return null
-            if (obj == null) {
-                return null;
-            }
-        } catch (ClassNotFoundException | IOException e) {
+        } catch (IOException | ClassCastException | ClassNotFoundException e) {
             Debug.logError(e, MODULE);
         }
         return obj;
@@ -94,7 +90,7 @@
      * @throws ClassNotFoundException when the class can not be deserialized.
      * @throws IOException when a general Input/Output error happen.
      */
-    public static Object getObjectException(byte[] bytes) throws ClassNotFoundException, IOException {
+    public static Object getObjectException(byte[] bytes) throws ClassCastException, ClassNotFoundException, IOException {
         try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
                 SafeObjectInputStream wois = new SafeObjectInputStream(bis)) {
             return wois.readObject();