1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
Description: Fixes CVE-2017-7957: When a certain denyTypes workaround is not
used, XStream mishandles attempts to create an instance of the primitive type
'void' during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("<void/>") call.
Origin: backport, https://github.com/x-stream/xstream/commit/b3570be
Bug-Debian: https://bugs.debian.org/861521
--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
+++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
@@ -72,6 +72,9 @@
if (exception != null) {
throw new ObjectAccessException("Cannot construct " + type.getName(), exception);
}
+ if (type == void.class || type == Void.class) {
+ throw new ObjectAccessException("Type void cannot have an instance");
+ }
try {
return unsafe.allocateInstance(type);
} catch (SecurityException e) {
--- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
+++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
@@ -9,7 +9,7 @@
import com.thoughtworks.xstream.core.util.Primitives;
/**
- * Permission for any primitive type and its boxed counterpart (incl. void).
+ * Permission for any primitive type and its boxed counterpart (excl. void).
*
* @author Jörg Schaible
* @since 1.4.7
@@ -21,7 +21,8 @@
public static final TypePermission PRIMITIVES = new PrimitiveTypePermission();
public boolean allows(Class type) {
- return type != null && type.isPrimitive() || Primitives.isBoxed(type);
+ return type != null && type != void.class && type != Void.class && type.isPrimitive()
+ || Primitives.isBoxed(type);
}
public int hashCode() {
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -13,7 +13,9 @@
import java.beans.EventHandler;
import com.thoughtworks.xstream.XStreamException;
+import com.thoughtworks.xstream.converters.ConversionException;
import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+import com.thoughtworks.xstream.security.ForbiddenClassException;
import com.thoughtworks.xstream.security.ProxyTypePermission;
/**
@@ -80,4 +82,23 @@
BUFFER.append("Executed!");
}
}
+
+ public void testDeniedInstanceOfVoid() {
+ try {
+ xstream.fromXML("<void/>");
+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
+ } catch (final ForbiddenClassException e) {
+ // OK
+ }
+ }
+
+ public void testAllowedInstanceOfVoid() {
+ xstream.allowTypes(void.class, Void.class);
+ try {
+ xstream.fromXML("<void/>");
+ fail("Thrown " + ConversionException.class.getName() + " expected");
+ } catch (final ConversionException e) {
+ assertEquals("void", e.get("construction-type"));
+ }
+ }
}
|
