From 5d6fe1e8c071bd56cf08f86e337f617fc9895b30 Mon Sep 17 00:00:00 2001

From: Michael Simacek <msimacek@redhat.com>

Date: Fri, 18 May 2018 15:22:49 +0200

Subject: [PATCH] Disallow deserialization of <ex:serializable> tags

Can be reenabled by setting JVM property

org.apache.xmlrpc.allowInsecureDeserialization to 1.

- Resolves CVE-2016-5003

---

 .../java/org/apache/xmlrpc/parser/SerializableParser.java | 8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java

index 18f25ac..c8bb7ed 100644

--- a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java

+++ b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java

@@ -29,6 +29,14 @@ import org.apache.xmlrpc.XmlRpcException;

  */

 public class SerializableParser extends ByteArrayParser {

 	public Object getResult() throws XmlRpcException {

+                if (!"1".equals(System.getProperty("org.apache.xmlrpc.allowInsecureDeserialization"))) {

+                    throw new UnsupportedOperationException(

+                            "Deserialization of ex:serializable objects is vulnerable to " +

+                            "remote execution attacks and is disabled by default. " +

+                            "If you are sure the source data is trusted, you can enable " +

+                            "it by setting org.apache.xmlrpc.allowInsecureDeserialization " +

+                            "JVM property to 1");

+                }

 		try {

 			byte[] res = (byte[]) super.getResult();

 			ByteArrayInputStream bais = new ByteArrayInputStream(res);

-- 

2.17.0