rpms / rh-maven35-jackson-databind

Clone
Source Code
GIT

Blame SOURCES/CVE-2017-7525.patch

c7
  1.   f79a0cbbbcb63b1390b28da8cd88ac3acbfe2c86
  2.   SOURCES
  3.   CVE-2017-7525.patch
Blob History Raw
f79a0c 
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java	2016-07-23 03:36:51.000000000 +0100
f79a0c 
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java	2017-07-20 15:42:39.836790820 +0100
f79a0c 
@@ -139,6 +139,8 @@
f79a0c 
         if (!isPotentialBeanType(type.getRawClass())) {
f79a0c 
             return null;
f79a0c 
         }
f79a0c 
+        // For checks like [databind#1599]
f79a0c 
+        checkIllegalTypes(ctxt, type, beanDesc);
f79a0c 
         // Use generic bean introspection to build deserializer
f79a0c 
         return buildBeanDeserializer(ctxt, type, beanDesc);
f79a0c 
     }
f79a0c 
@@ -826,4 +828,22 @@
f79a0c 
         // We default to 'false', i.e. not ignorable
f79a0c 
         return (status == null) ? false : status.booleanValue();
f79a0c 
     }
f79a0c 
+
f79a0c 
+    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
f79a0c 
+            BeanDescription beanDesc)
f79a0c 
+        throws JsonMappingException
f79a0c 
+    {
f79a0c 
+        // There are certain nasty classes that could cause problems, mostly
f79a0c 
+        // via default typing -- catch them here.
f79a0c 
+        Class raw = type.getRawClass();
f79a0c 
+        String name = raw.getSimpleName();
f79a0c 
+
f79a0c 
+        if ("TemplatesImpl".equals(name)) { // [databind#1599]
f79a0c 
+            if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
f79a0c 
+                throw JsonMappingException.from(ctxt,
f79a0c 
+                        String.format("Illegal type (%s) to deserialize: prevented for security reasons",
f79a0c 
+                                name));
f79a0c 
+            }
f79a0c 
+        }
f79a0c 
+    }
f79a0c 
 }
f79a0c 
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
f79a0c 
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
f79a0c 
@@ -39,7 +39,33 @@
f79a0c 
     private final static Class[] INIT_CAUSE_PARAMS = new Class[] { Throwable.class };
f79a0c
f79a0c 
     private final static Class[] NO_VIEWS = new Class[0];
f79a0c 
-
f79a0c 
+
f79a0c 
+    /**
f79a0c 
+     * Set of well-known "nasty classes", deserialization of which is considered dangerous
f79a0c 
+     * and should (and is) prevented by default.
f79a0c 
+     */
f79a0c 
+    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
f79a0c 
+    static {
f79a0c 
+        Set<String> s = new HashSet<String>();
f79a0c 
+        // Courtesy of [https://github.com/kantega/notsoserial]:
f79a0c 
+        // (and wrt [databind#1599]
f79a0c 
+        s.add("org.apache.commons.collections.functors.InvokerTransformer");
f79a0c 
+        s.add("org.apache.commons.collections.functors.InstantiateTransformer");
f79a0c 
+        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
f79a0c 
+        s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
f79a0c 
+        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
f79a0c 
+        s.add("org.codehaus.groovy.runtime.MethodClosure");
f79a0c 
+        s.add("org.springframework.beans.factory.ObjectFactory");
f79a0c 
+        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
f79a0c 
+        s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
f79a0c 
+        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
f79a0c 
+    }
f79a0c 
+
f79a0c 
+    /**
f79a0c 
+     * Set of class names of types that are never to be deserialized.
f79a0c 
+     */
f79a0c 
+    protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
f79a0c 
+
f79a0c 
     /*
f79a0c 
     /**********************************************************
f79a0c 
     /* Life-cycle
f79a0c 
@@ -846,15 +871,11 @@ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
f79a0c 
     {
f79a0c 
         // There are certain nasty classes that could cause problems, mostly
f79a0c 
         // via default typing -- catch them here.
f79a0c 
-        Class raw = type.getRawClass();
f79a0c 
-        String name = raw.getSimpleName();
f79a0c 
-
f79a0c 
-        if ("TemplatesImpl".equals(name)) { // [databind#1599]
f79a0c 
-            if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
f79a0c 
-                throw JsonMappingException.from(ctxt,
f79a0c 
-                        String.format("Illegal type (%s) to deserialize: prevented for security reasons",
f79a0c 
-                                name));
f79a0c 
-            }
f79a0c 
+        String full = type.getRawClass().getName();
f79a0c 
+
f79a0c 
+        if (_cfgIllegalClassNames.contains(full)) {
f79a0c 
+            throw JsonMappingException.from(ctxt.getParser(),
f79a0c 
+                    String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
f79a0c 
         }
f79a0c 
     }
f79a0c 
 }

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation