Blame SOURCES/0001-Backport-fix-for-CVE-2017-5645.patch

4bf7c0
From ea4609eca531916ac347686c048bebdb7b4b6e0d Mon Sep 17 00:00:00 2001
4bf7c0
From: Michael Simacek <msimacek@redhat.com>
4bf7c0
Date: Fri, 2 Jun 2017 14:37:35 +0200
4bf7c0
Subject: [PATCH] Backport fix for CVE-2017-5645
4bf7c0
4bf7c0
---
4bf7c0
 .../apache/log4j/FilteredObjectInputStream.java    | 65 ++++++++++++++++++++++
4bf7c0
 src/main/java/org/apache/log4j/net/SocketNode.java | 17 +++++-
4bf7c0
 2 files changed, 80 insertions(+), 2 deletions(-)
4bf7c0
 create mode 100644 src/main/java/org/apache/log4j/FilteredObjectInputStream.java
4bf7c0
4bf7c0
diff --git a/src/main/java/org/apache/log4j/FilteredObjectInputStream.java b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java
4bf7c0
new file mode 100644
4bf7c0
index 0000000..b9ef20c
4bf7c0
--- /dev/null
4bf7c0
+++ b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java
4bf7c0
@@ -0,0 +1,65 @@
4bf7c0
+/*
4bf7c0
+ * Licensed to the Apache Software Foundation (ASF) under one or more
4bf7c0
+ * contributor license agreements. See the NOTICE file distributed with
4bf7c0
+ * this work for additional information regarding copyright ownership.
4bf7c0
+ * The ASF licenses this file to You under the Apache license, Version 2.0
4bf7c0
+ * (the "License"); you may not use this file except in compliance with
4bf7c0
+ * the License. You may obtain a copy of the License at
4bf7c0
+ *
4bf7c0
+ *      http://www.apache.org/licenses/LICENSE-2.0
4bf7c0
+ *
4bf7c0
+ * Unless required by applicable law or agreed to in writing, software
4bf7c0
+ * distributed under the License is distributed on an "AS IS" BASIS,
4bf7c0
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
4bf7c0
+ * See the license for the specific language governing permissions and
4bf7c0
+ * limitations under the license.
4bf7c0
+ */
4bf7c0
+package org.apache.log4j;
4bf7c0
+
4bf7c0
+import java.io.FileOutputStream;
4bf7c0
+import java.io.IOException;
4bf7c0
+import java.io.InputStream;
4bf7c0
+import java.io.InvalidObjectException;
4bf7c0
+import java.io.ObjectInputStream;
4bf7c0
+import java.io.ObjectStreamClass;
4bf7c0
+import java.util.Arrays;
4bf7c0
+import java.util.Collection;
4bf7c0
+import java.util.List;
4bf7c0
+
4bf7c0
+/**
4bf7c0
+ * Extended ObjectInputStream that only allows certain classes to be deserialized.
4bf7c0
+ *
4bf7c0
+ * Backported from 2.8.2
4bf7c0
+ */
4bf7c0
+public class FilteredObjectInputStream extends ObjectInputStream {
4bf7c0
+
4bf7c0
+    private static final List REQUIRED_JAVA_CLASSES = Arrays.asList(new String[] {
4bf7c0
+        // Types of non-trainsient fields of LoggingEvent
4bf7c0
+        "java.lang.String",
4bf7c0
+        "java.util.Hashtable",
4bf7c0
+        // ThrowableInformation
4bf7c0
+        "[Ljava.lang.String;"
4bf7c0
+    });
4bf7c0
+
4bf7c0
+    private final Collection allowedClasses;
4bf7c0
+
4bf7c0
+    public FilteredObjectInputStream(final InputStream in, final Collection allowedClasses) throws IOException {
4bf7c0
+        super(in);
4bf7c0
+        this.allowedClasses = allowedClasses;
4bf7c0
+    }
4bf7c0
+
4bf7c0
+    protected Class resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
4bf7c0
+        String name = desc.getName();
4bf7c0
+        if (!(isAllowedByDefault(name) || allowedClasses.contains(name))) {
4bf7c0
+            throw new InvalidObjectException("Class is not allowed for deserialization: " + name);
4bf7c0
+        }
4bf7c0
+        return super.resolveClass(desc);
4bf7c0
+    }
4bf7c0
+
4bf7c0
+    private static boolean isAllowedByDefault(final String name) {
4bf7c0
+        return name.startsWith("org.apache.log4j.") ||
4bf7c0
+            name.startsWith("[Lorg.apache.log4j.") ||
4bf7c0
+            REQUIRED_JAVA_CLASSES.contains(name);
4bf7c0
+    }
4bf7c0
+
4bf7c0
+}
4bf7c0
diff --git a/src/main/java/org/apache/log4j/net/SocketNode.java b/src/main/java/org/apache/log4j/net/SocketNode.java
4bf7c0
index e977f13..f95bb10 100644
4bf7c0
--- a/src/main/java/org/apache/log4j/net/SocketNode.java
4bf7c0
+++ b/src/main/java/org/apache/log4j/net/SocketNode.java
4bf7c0
@@ -22,6 +22,10 @@ import java.io.IOException;
4bf7c0
 import java.io.InterruptedIOException;
4bf7c0
 import java.io.ObjectInputStream;
4bf7c0
 import java.net.Socket;
4bf7c0
+import java.util.ArrayList;
4bf7c0
+import java.util.Arrays;
4bf7c0
+import java.util.Collection;
4bf7c0
+import org.apache.log4j.FilteredObjectInputStream;
4bf7c0
 
4bf7c0
 import org.apache.log4j.Logger;
4bf7c0
 import org.apache.log4j.spi.LoggerRepository;
4bf7c0
@@ -53,8 +57,9 @@ public class SocketNode implements Runnable {
4bf7c0
     this.socket = socket;
4bf7c0
     this.hierarchy = hierarchy;
4bf7c0
     try {
4bf7c0
-      ois = new ObjectInputStream(
4bf7c0
-                         new BufferedInputStream(socket.getInputStream()));
4bf7c0
+      ois = new FilteredObjectInputStream(
4bf7c0
+                         new BufferedInputStream(socket.getInputStream()),
4bf7c0
+                         getAllowedClasses());
4bf7c0
     } catch(InterruptedIOException e) {
4bf7c0
       Thread.currentThread().interrupt();
4bf7c0
       logger.error("Could not open ObjectInputStream to "+socket, e);
4bf7c0
@@ -65,6 +70,14 @@ public class SocketNode implements Runnable {
4bf7c0
     }
4bf7c0
   }
4bf7c0
 
4bf7c0
+  private Collection getAllowedClasses() {
4bf7c0
+      Collection allowedClasses = new ArrayList();
4bf7c0
+      String property = System.getProperty("org.apache.log4j.net.allowedClasses");
4bf7c0
+      if (property != null)
4bf7c0
+          allowedClasses.addAll(Arrays.asList(property.split(",")));
4bf7c0
+      return allowedClasses;
4bf7c0
+  }
4bf7c0
+
4bf7c0
   //public
4bf7c0
   //void finalize() {
4bf7c0
   //System.err.println("-------------------------Finalize called");
4bf7c0
-- 
4bf7c0
2.9.4
4bf7c0