|
|
68bf46 |
From 637fb986311f8c5a22cfb2ad2a6b928d179ea49c Mon Sep 17 00:00:00 2001
|
|
|
68bf46 |
From: Mikolaj Izdebski <mizdebsk@redhat.com>
|
|
|
68bf46 |
Date: Wed, 2 Feb 2022 19:37:17 +0100
|
|
|
68bf46 |
Subject: [PATCH] Fix CVE-2022-23307 Chainsaw
|
|
|
68bf46 |
|
|
|
68bf46 |
---
|
|
|
68bf46 |
src/main/java/org/apache/log4j/chainsaw/LoggingReceiver.java | 5 ++++-
|
|
|
68bf46 |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
68bf46 |
|
|
|
68bf46 |
diff --git a/src/main/java/org/apache/log4j/chainsaw/LoggingReceiver.java b/src/main/java/org/apache/log4j/chainsaw/LoggingReceiver.java
|
|
|
68bf46 |
index ca087adc..7e739df5 100644
|
|
|
68bf46 |
--- a/src/main/java/org/apache/log4j/chainsaw/LoggingReceiver.java
|
|
|
68bf46 |
+++ b/src/main/java/org/apache/log4j/chainsaw/LoggingReceiver.java
|
|
|
68bf46 |
@@ -22,6 +22,8 @@ import java.io.ObjectInputStream;
|
|
|
68bf46 |
import java.net.ServerSocket;
|
|
|
68bf46 |
import java.net.Socket;
|
|
|
68bf46 |
import java.net.SocketException;
|
|
|
68bf46 |
+
|
|
|
68bf46 |
+import org.apache.log4j.FilteredObjectInputStream;
|
|
|
68bf46 |
import org.apache.log4j.Logger;
|
|
|
68bf46 |
import org.apache.log4j.spi.LoggingEvent;
|
|
|
68bf46 |
|
|
|
68bf46 |
@@ -59,7 +61,8 @@ class LoggingReceiver extends Thread {
|
|
|
68bf46 |
LOG.debug("Starting to get data");
|
|
|
68bf46 |
try {
|
|
|
68bf46 |
final ObjectInputStream ois =
|
|
|
68bf46 |
- new ObjectInputStream(mClient.getInputStream());
|
|
|
68bf46 |
+ new FilteredObjectInputStream(
|
|
|
68bf46 |
+ mClient.getInputStream(), FilteredObjectInputStream.SYSTEM_ALLOWED_CLASSES);
|
|
|
68bf46 |
while (true) {
|
|
|
68bf46 |
final LoggingEvent event = (LoggingEvent) ois.readObject();
|
|
|
68bf46 |
mModel.addEvent(new EventDetails(event));
|
|
|
68bf46 |
--
|
|
|
68bf46 |
2.33.1
|
|
|
68bf46 |
|