|
 |
54804a |
From ea4609eca531916ac347686c048bebdb7b4b6e0d Mon Sep 17 00:00:00 2001
|
|
|
54804a |
From: Michael Simacek <msimacek@redhat.com>
|
|
|
54804a |
Date: Fri, 2 Jun 2017 14:37:35 +0200
|
|
|
54804a |
Subject: [PATCH] Backport fix for CVE-2017-5645
|
|
|
54804a |
|
|
|
54804a |
---
|
|
|
54804a |
.../apache/log4j/FilteredObjectInputStream.java | 65 ++++++++++++++++++++++
|
|
|
54804a |
src/main/java/org/apache/log4j/net/SocketNode.java | 17 +++++-
|
|
|
54804a |
2 files changed, 80 insertions(+), 2 deletions(-)
|
|
|
54804a |
create mode 100644 src/main/java/org/apache/log4j/FilteredObjectInputStream.java
|
|
|
54804a |
|
|
|
54804a |
diff --git a/src/main/java/org/apache/log4j/FilteredObjectInputStream.java b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java
|
|
|
54804a |
new file mode 100644
|
|
|
54804a |
index 0000000..b9ef20c
|
|
|
54804a |
--- /dev/null
|
|
|
54804a |
+++ b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java
|
|
|
54804a |
@@ -0,0 +1,65 @@
|
|
|
54804a |
+/*
|
|
|
54804a |
+ * Licensed to the Apache Software Foundation (ASF) under one or more
|
|
|
54804a |
+ * contributor license agreements. See the NOTICE file distributed with
|
|
|
54804a |
+ * this work for additional information regarding copyright ownership.
|
|
|
54804a |
+ * The ASF licenses this file to You under the Apache license, Version 2.0
|
|
|
54804a |
+ * (the "License"); you may not use this file except in compliance with
|
|
|
54804a |
+ * the License. You may obtain a copy of the License at
|
|
|
54804a |
+ *
|
|
|
54804a |
+ * http://www.apache.org/licenses/LICENSE-2.0
|
|
|
54804a |
+ *
|
|
|
54804a |
+ * Unless required by applicable law or agreed to in writing, software
|
|
|
54804a |
+ * distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
54804a |
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
54804a |
+ * See the license for the specific language governing permissions and
|
|
|
54804a |
+ * limitations under the license.
|
|
|
54804a |
+ */
|
|
|
54804a |
+package org.apache.log4j;
|
|
|
54804a |
+
|
|
|
54804a |
+import java.io.FileOutputStream;
|
|
|
54804a |
+import java.io.IOException;
|
|
|
54804a |
+import java.io.InputStream;
|
|
|
54804a |
+import java.io.InvalidObjectException;
|
|
|
54804a |
+import java.io.ObjectInputStream;
|
|
|
54804a |
+import java.io.ObjectStreamClass;
|
|
|
54804a |
+import java.util.Arrays;
|
|
|
54804a |
+import java.util.Collection;
|
|
|
54804a |
+import java.util.List;
|
|
|
54804a |
+
|
|
|
54804a |
+/**
|
|
|
54804a |
+ * Extended ObjectInputStream that only allows certain classes to be deserialized.
|
|
|
54804a |
+ *
|
|
|
54804a |
+ * Backported from 2.8.2
|
|
|
54804a |
+ */
|
|
|
54804a |
+public class FilteredObjectInputStream extends ObjectInputStream {
|
|
|
54804a |
+
|
|
|
54804a |
+ private static final List REQUIRED_JAVA_CLASSES = Arrays.asList(new String[] {
|
|
|
54804a |
+ // Types of non-trainsient fields of LoggingEvent
|
|
|
54804a |
+ "java.lang.String",
|
|
|
54804a |
+ "java.util.Hashtable",
|
|
|
54804a |
+ // ThrowableInformation
|
|
|
54804a |
+ "[Ljava.lang.String;"
|
|
|
54804a |
+ });
|
|
|
54804a |
+
|
|
|
54804a |
+ private final Collection allowedClasses;
|
|
|
54804a |
+
|
|
|
54804a |
+ public FilteredObjectInputStream(final InputStream in, final Collection allowedClasses) throws IOException {
|
|
|
54804a |
+ super(in);
|
|
|
54804a |
+ this.allowedClasses = allowedClasses;
|
|
|
54804a |
+ }
|
|
|
54804a |
+
|
|
|
54804a |
+ protected Class resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
|
|
|
54804a |
+ String name = desc.getName();
|
|
|
54804a |
+ if (!(isAllowedByDefault(name) || allowedClasses.contains(name))) {
|
|
|
54804a |
+ throw new InvalidObjectException("Class is not allowed for deserialization: " + name);
|
|
|
54804a |
+ }
|
|
|
54804a |
+ return super.resolveClass(desc);
|
|
|
54804a |
+ }
|
|
|
54804a |
+
|
|
|
54804a |
+ private static boolean isAllowedByDefault(final String name) {
|
|
|
54804a |
+ return name.startsWith("org.apache.log4j.") ||
|
|
|
54804a |
+ name.startsWith("[Lorg.apache.log4j.") ||
|
|
|
54804a |
+ REQUIRED_JAVA_CLASSES.contains(name);
|
|
|
54804a |
+ }
|
|
|
54804a |
+
|
|
|
54804a |
+}
|
|
|
54804a |
diff --git a/src/main/java/org/apache/log4j/net/SocketNode.java b/src/main/java/org/apache/log4j/net/SocketNode.java
|
|
|
54804a |
index e977f13..f95bb10 100644
|
|
|
54804a |
--- a/src/main/java/org/apache/log4j/net/SocketNode.java
|
|
|
54804a |
+++ b/src/main/java/org/apache/log4j/net/SocketNode.java
|
|
|
54804a |
@@ -22,6 +22,10 @@ import java.io.IOException;
|
|
|
54804a |
import java.io.InterruptedIOException;
|
|
|
54804a |
import java.io.ObjectInputStream;
|
|
|
54804a |
import java.net.Socket;
|
|
|
54804a |
+import java.util.ArrayList;
|
|
|
54804a |
+import java.util.Arrays;
|
|
|
54804a |
+import java.util.Collection;
|
|
|
54804a |
+import org.apache.log4j.FilteredObjectInputStream;
|
|
|
54804a |
|
|
|
54804a |
import org.apache.log4j.Logger;
|
|
|
54804a |
import org.apache.log4j.spi.LoggerRepository;
|
|
|
54804a |
@@ -53,8 +57,9 @@ public class SocketNode implements Runnable {
|
|
|
54804a |
this.socket = socket;
|
|
|
54804a |
this.hierarchy = hierarchy;
|
|
|
54804a |
try {
|
|
|
54804a |
- ois = new ObjectInputStream(
|
|
|
54804a |
- new BufferedInputStream(socket.getInputStream()));
|
|
|
54804a |
+ ois = new FilteredObjectInputStream(
|
|
|
54804a |
+ new BufferedInputStream(socket.getInputStream()),
|
|
|
54804a |
+ getAllowedClasses());
|
|
|
54804a |
} catch(InterruptedIOException e) {
|
|
|
54804a |
Thread.currentThread().interrupt();
|
|
|
54804a |
logger.error("Could not open ObjectInputStream to "+socket, e);
|
|
|
54804a |
@@ -65,6 +70,14 @@ public class SocketNode implements Runnable {
|
|
|
54804a |
}
|
|
|
54804a |
}
|
|
|
54804a |
|
|
|
54804a |
+ private Collection getAllowedClasses() {
|
|
|
54804a |
+ Collection allowedClasses = new ArrayList();
|
|
|
54804a |
+ String property = System.getProperty("org.apache.log4j.net.allowedClasses");
|
|
|
54804a |
+ if (property != null)
|
|
|
54804a |
+ allowedClasses.addAll(Arrays.asList(property.split(",")));
|
|
|
54804a |
+ return allowedClasses;
|
|
|
54804a |
+ }
|
|
|
54804a |
+
|
|
|
54804a |
//public
|
|
|
54804a |
//void finalize() {
|
|
|
54804a |
//System.err.println("-------------------------Finalize called");
|
|
|
54804a |
--
|
|
|
54804a |
2.9.4
|
|
|
54804a |
|