1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
Description: Disable the deserialization of the functors classes unless
the system property org.apache.commons.collections.enableUnsafeSerialization
is set to true.
.
This fixes a vulnerability in unsafe applications deserializing objects
from untrusted sources without sanitizing the input data.
.
https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
Origin: backport, http://svn.apache.org/r1713845
Bug: https://issues.apache.org/jira/browse/COLLECTIONS-580
--- a/src/java/org/apache/commons/collections/functors/CloneTransformer.java
+++ b/src/java/org/apache/commons/collections/functors/CloneTransformer.java
@@ -68,4 +68,8 @@
return PrototypeFactory.getInstance(input).create();
}
+ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
+ FunctorUtils.checkUnsafeSerialization(CloneTransformer.class);
+ is.defaultReadObject();
+ }
}
--- a/src/java/org/apache/commons/collections/functors/ForClosure.java
+++ b/src/java/org/apache/commons/collections/functors/ForClosure.java
@@ -102,4 +102,8 @@
return iCount;
}
+ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
+ FunctorUtils.checkUnsafeSerialization(ForClosure.class);
+ is.defaultReadObject();
+ }
}
--- a/src/java/org/apache/commons/collections/functors/FunctorUtils.java
+++ b/src/java/org/apache/commons/collections/functors/FunctorUtils.java
@@ -16,6 +16,8 @@
*/
package org.apache.commons.collections.functors;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.Collection;
import java.util.Iterator;
@@ -34,6 +36,10 @@
*/
class FunctorUtils {
+ /** System property key to enable unsafe serialization */
+ final static String UNSAFE_SERIALIZABLE_PROPERTY
+ = "org.apache.commons.collections.enableUnsafeSerialization";
+
/**
* Restricted constructor.
*/
@@ -152,4 +158,32 @@
}
}
+ /**
+ * Package-private helper method to check if serialization support is
+ * enabled for unsafe classes.
+ *
+ * @param clazz the clazz to check for serialization support
+ * @throws UnsupportedOperationException if unsafe serialization is disabled
+ */
+ static void checkUnsafeSerialization(Class clazz) {
+ String unsafeSerializableProperty;
+
+ try {
+ unsafeSerializableProperty =
+ (String) AccessController.doPrivileged(new PrivilegedAction() {
+ public Object run() {
+ return System.getProperty(UNSAFE_SERIALIZABLE_PROPERTY);
+ }
+ });
+ } catch (SecurityException ex) {
+ unsafeSerializableProperty = null;
+ }
+
+ if (!"true".equalsIgnoreCase(unsafeSerializableProperty)) {
+ throw new UnsupportedOperationException(
+ "Serialization support for " + clazz.getName() + " is disabled for security reasons. " +
+ "To enable it set system property '" + UNSAFE_SERIALIZABLE_PROPERTY + "' to 'true', " +
+ "but you must ensure that your application does not de-serialize objects from untrusted sources.");
+ }
+ }
}
--- a/src/java/org/apache/commons/collections/functors/InstantiateFactory.java
+++ b/src/java/org/apache/commons/collections/functors/InstantiateFactory.java
@@ -136,5 +136,9 @@
throw new FunctorException("InstantiateFactory: Constructor threw an exception", ex);
}
}
-
+
+ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
+ FunctorUtils.checkUnsafeSerialization(InstantiateFactory.class);
+ is.defaultReadObject();
+ }
}
--- a/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java
+++ b/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java
@@ -116,4 +116,8 @@
}
}
+ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
+ FunctorUtils.checkUnsafeSerialization(InstantiateTransformer.class);
+ is.defaultReadObject();
+ }
}
--- a/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
+++ b/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
@@ -134,4 +134,8 @@
}
}
+ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
+ FunctorUtils.checkUnsafeSerialization(InvokerTransformer.class);
+ is.defaultReadObject();
+ }
}
--- a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
+++ b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
@@ -144,6 +144,11 @@
throw new FunctorException("PrototypeCloneFactory: Clone method threw an exception", ex);
}
}
+
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
+ FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
+ is.defaultReadObject();
+ }
}
// PrototypeSerializationFactory
@@ -204,6 +209,11 @@
}
}
}
+
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
+ FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
+ is.defaultReadObject();
+ }
}
}
--- a/src/java/org/apache/commons/collections/functors/WhileClosure.java
+++ b/src/java/org/apache/commons/collections/functors/WhileClosure.java
@@ -120,4 +120,8 @@
return iDoLoop;
}
+ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
+ FunctorUtils.checkUnsafeSerialization(WhileClosure.class);
+ is.defaultReadObject();
+ }
}
|
