"Applied fix from trunk framework for revision: 1869001"
------------------------------------------------------------------------
r1869001 | mthl | 2019-10-26 16:42:02 +0200 (sam. 26 oct. 2019) | 9 lignes
Fixed: Handle whitelist of serializable classes from properties
(OFBIZ-11261)
There was a bug regarding the way the ‘ListOfSafeObjectsForInputStream’ value
defined in the “SafeObjectInputStream.properties” file was handled. Mistakenly
only one class identifier was allowed.
Some unit tests have been added to check that the identified bug is fixed.
------------------------------------------------------------------------
�
git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1869033 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
index a5e8655..1965e73 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
@@ -24,10 +24,11 @@
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.io.InputStream;
+import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.ServiceLoader;
-import java.lang.Class;
+import java.util.stream.Collectors;
import org.apache.ofbiz.base.lang.Factory;
import org.apache.ofbiz.base.lang.SourceMonitored;
@@ -109,7 +110,10 @@
"ListOfSafeObjectsForInputStream");
List<String> listOfSafeObjects = null;
if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
- listOfSafeObjects = java.util.Arrays.asList(listOfSafeObjectsForInputStream);
+ listOfSafeObjects = Arrays.stream(listOfSafeObjectsForInputStream.split(","))
+ .map(String::trim)
+ .filter(s -> !s.isEmpty())
+ .collect(Collectors.toList());
} else {
listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo", "SerializationInjector",
"\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",
