From 637fb986311f8c5a22cfb2ad2a6b928d179ea49c Mon Sep 17 00:00:00 2001
From: Mikolaj Izdebski <mizdebsk@redhat.com>
Date: Wed, 2 Feb 2022 19:37:17 +0100
Subject: [PATCH] Fix CVE-2022-23307 Chainsaw

---
 src/main/java/org/apache/log4j/chainsaw/LoggingReceiver.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/apache/log4j/chainsaw/LoggingReceiver.java b/src/main/java/org/apache/log4j/chainsaw/LoggingReceiver.java
index ca087adc..7e739df5 100644
--- a/src/main/java/org/apache/log4j/chainsaw/LoggingReceiver.java
+++ b/src/main/java/org/apache/log4j/chainsaw/LoggingReceiver.java
@@ -22,6 +22,8 @@ import java.io.ObjectInputStream;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
+
+import org.apache.log4j.FilteredObjectInputStream;
 import org.apache.log4j.Logger;
 import org.apache.log4j.spi.LoggingEvent;
 
@@ -59,7 +61,8 @@ class LoggingReceiver extends Thread {
             LOG.debug("Starting to get data");
             try {
                 final ObjectInputStream ois =
-                    new ObjectInputStream(mClient.getInputStream());
+                    new FilteredObjectInputStream(
+                            mClient.getInputStream(), FilteredObjectInputStream.SYSTEM_ALLOWED_CLASSES);
                 while (true) {
                     final LoggingEvent event = (LoggingEvent) ois.readObject();
                     mModel.addEvent(new EventDetails(event));
-- 
2.33.1