Tree - rpms/slf4j - CentOS Git server

rpms / slf4j

Blame SOURCES/0001-Disallow-EventData-deserialization-by-default.patch

Blob History Raw

		f1b90f	`From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001`
		f1b90f	`From: Michael Simacek <msimacek@redhat.com>`
		f1b90f	`Date: Mon, 19 Mar 2018 16:01:57 +0100`
		f1b90f	`Subject: [PATCH] Disallow EventData deserialization by default`
		f1b90f
		f1b90f	`---`
		f1b90f	`.../src/main/java/org/slf4j/ext/EventData.java \| 21 +++++++++++++++------`
		f1b90f	`1 file changed, 15 insertions(+), 6 deletions(-)`
		f1b90f
		f1b90f	`diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java`
		f1b90f	`index dc5b502..fa5c125 100644`
		f1b90f	`--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java`
		f1b90f	`+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java`
		f1b90f	`@@ -76,12 +76,21 @@ public class EventData implements Serializable {`
		f1b90f	`*/`
		f1b90f	`@SuppressWarnings("unchecked")`
		f1b90f	`public EventData(String xml) {`
		f1b90f	`- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());`
		f1b90f	`- try {`
		f1b90f	`- XMLDecoder decoder = new XMLDecoder(bais);`
		f1b90f	`- this.eventData = (Map<String, Object>) decoder.readObject();`
		f1b90f	`- } catch (Exception e) {`
		f1b90f	`- throw new EventException("Error decoding " + xml, e);`
		f1b90f	`+ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {`
		f1b90f	`+ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());`
		f1b90f	`+ try {`
		f1b90f	`+ XMLDecoder decoder = new XMLDecoder(bais);`
		f1b90f	`+ this.eventData = (Map<String, Object>) decoder.readObject();`
		f1b90f	`+ } catch (Exception e) {`
		f1b90f	`+ throw new EventException("Error decoding " + xml, e);`
		f1b90f	`+ }`
		f1b90f	`+ } else {`
		f1b90f	`+ throw new UnsupportedOperationException(`
		f1b90f	`+ "Constructing EventData from XML is vulnerable to remote " +`
		f1b90f	`+ "excution and is not allowed by default. If you're " +`
		f1b90f	`+ "completely sure the source data is trusted, you can enable " +`
		f1b90f	`+ "it by setting org.slf4j.ext.allowInsecureDeserialization " +`
		f1b90f	`+ "JVM property to 1");`
		f1b90f	`}`
		f1b90f	`}`
		f1b90f
		f1b90f	`--`
		f1b90f	`2.14.3`
		f1b90f

rpms / slf4j

Source Code

Blame SOURCES/0001-Disallow-EventData-deserialization-by-default.patch