rpms / slf4j

Clone
Source Code
GIT

Blame SOURCES/0001-Disallow-EventData-deserialization-by-default.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-10.6 c8-beta-stream-201801 c8-beta-stream-3.5 c8-beta-stream-3.6 c8-beta-stream-3.8 c8-stream-10.6 c8-stream-201801 c8-stream-3.5 c8-stream-3.6 c8-stream-3.8 c8s-stream-201902 c8s-stream-3.5 c8s-stream-3.6 c8s-stream-3.8 c9 c9-beta c9-beta-stream-3.8 c9-stream-3.8
  1.   c8-beta-stream-10.6
  2.   SOURCES
  3.   0001-Disallow-EventData-deserialization-by-default.patch
Blob History Raw
4533ba 
From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001
4533ba 
From: Michael Simacek <msimacek@redhat.com>
4533ba 
Date: Mon, 19 Mar 2018 16:01:57 +0100
4533ba 
Subject: [PATCH] Disallow EventData deserialization by default
4533ba
4533ba 
---
4533ba 
 .../src/main/java/org/slf4j/ext/EventData.java      | 21 +++++++++++++++------
4533ba 
 1 file changed, 15 insertions(+), 6 deletions(-)
4533ba
4533ba 
diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
4533ba 
index dc5b502..fa5c125 100644
4533ba 
--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
4533ba 
+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
4533ba 
@@ -76,12 +76,21 @@ public class EventData implements Serializable {
4533ba 
      */
4533ba 
     @SuppressWarnings("unchecked")
4533ba 
     public EventData(String xml) {
4533ba 
-        ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
4533ba 
-        try {
4533ba 
-            XMLDecoder decoder = new XMLDecoder(bais);
4533ba 
-            this.eventData = (Map<String, Object>) decoder.readObject();
4533ba 
-        } catch (Exception e) {
4533ba 
-            throw new EventException("Error decoding " + xml, e);
4533ba 
+        if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
4533ba 
+            ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
4533ba 
+            try {
4533ba 
+                XMLDecoder decoder = new XMLDecoder(bais);
4533ba 
+                this.eventData = (Map<String, Object>) decoder.readObject();
4533ba 
+            } catch (Exception e) {
4533ba 
+                throw new EventException("Error decoding " + xml, e);
4533ba 
+            }
4533ba 
+        } else {
4533ba 
+            throw new UnsupportedOperationException(
4533ba 
+                    "Constructing EventData from XML is vulnerable to remote " +
4533ba 
+                    "excution and is not allowed by default. If you're " +
4533ba 
+                    "completely sure the source data is trusted, you can enable " +
4533ba 
+                    "it by setting org.slf4j.ext.allowInsecureDeserialization " +
4533ba 
+                    "JVM property to 1");
4533ba 
         }
4533ba 
     }
4533ba
4533ba 
--
4533ba 
2.14.3
4533ba

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation