3b3756
From 9d4e3462f17d135b5c928e2419a17bd444c3f2b4 Mon Sep 17 00:00:00 2001
3b3756
From: Michael Simacek <msimacek@redhat.com>
3b3756
Date: Mon, 19 Mar 2018 16:01:57 +0100
3b3756
Subject: [PATCH] Disallow EventData deserialization by default
3b3756
3b3756
---
3b3756
 .../src/main/java/org/slf4j/ext/EventData.java     | 23 +++++++++++++++-------
3b3756
 1 file changed, 16 insertions(+), 7 deletions(-)
3b3756
3b3756
diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
3b3756
index 4478e52..535c5c0 100644
3b3756
--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
3b3756
+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
3b3756
@@ -76,13 +76,22 @@ public class EventData implements Serializable {
3b3756
    */
3b3756
   @SuppressWarnings("unchecked")
3b3756
   public EventData(String xml) {
3b3756
-    ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
3b3756
-    try {
3b3756
-      XMLDecoder decoder = new XMLDecoder(bais);
3b3756
-      this.eventData = (Map<String, Object>) decoder.readObject();
3b3756
-    } catch (Exception e) {
3b3756
-      throw new EventException("Error decoding " + xml, e);
3b3756
-    }
3b3756
+      if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
3b3756
+          ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
3b3756
+          try {
3b3756
+              XMLDecoder decoder = new XMLDecoder(bais);
3b3756
+              this.eventData = (Map<String, Object>) decoder.readObject();
3b3756
+          } catch (Exception e) {
3b3756
+              throw new EventException("Error decoding " + xml, e);
3b3756
+          }
3b3756
+      } else {
3b3756
+          throw new UnsupportedOperationException(
3b3756
+                  "Constructing EventData from XML is vulnerable to remote " +
3b3756
+                  "excution and is not allowed by default. If you're " +
3b3756
+                  "completely sure the source data is trusted, you can enable " +
3b3756
+                  "it by setting org.slf4j.ext.allowInsecureDeserialization " +
3b3756
+                  "JVM property to 1");
3b3756
+      }
3b3756
   }
3b3756
 
3b3756
   /**
3b3756
-- 
3b3756
2.14.3
3b3756