|
|
9e33b5 |
From 5d6fe1e8c071bd56cf08f86e337f617fc9895b30 Mon Sep 17 00:00:00 2001
|
|
|
9e33b5 |
From: Michael Simacek <msimacek@redhat.com>
|
|
|
9e33b5 |
Date: Fri, 18 May 2018 15:22:49 +0200
|
|
|
9e33b5 |
Subject: [PATCH] Disallow deserialization of <ex:serializable> tags
|
|
|
9e33b5 |
|
|
|
9e33b5 |
Can be reenabled by setting JVM property
|
|
|
9e33b5 |
org.apache.xmlrpc.allowInsecureDeserialization to 1.
|
|
|
9e33b5 |
|
|
|
9e33b5 |
- Resolves CVE-2016-5003
|
|
|
9e33b5 |
---
|
|
|
9e33b5 |
.../java/org/apache/xmlrpc/parser/SerializableParser.java | 8 ++++++++
|
|
|
9e33b5 |
1 file changed, 8 insertions(+)
|
|
|
9e33b5 |
|
|
|
9e33b5 |
diff --git a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
|
|
|
9e33b5 |
index 18f25ac..c8bb7ed 100644
|
|
|
9e33b5 |
--- a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
|
|
|
9e33b5 |
+++ b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
|
|
|
9e33b5 |
@@ -29,6 +29,14 @@ import org.apache.xmlrpc.XmlRpcException;
|
|
|
9e33b5 |
*/
|
|
|
9e33b5 |
public class SerializableParser extends ByteArrayParser {
|
|
|
9e33b5 |
public Object getResult() throws XmlRpcException {
|
|
|
9e33b5 |
+ if (!"1".equals(System.getProperty("org.apache.xmlrpc.allowInsecureDeserialization"))) {
|
|
|
9e33b5 |
+ throw new UnsupportedOperationException(
|
|
|
9e33b5 |
+ "Deserialization of ex:serializable objects is vulnerable to " +
|
|
|
9e33b5 |
+ "remote execution attacks and is disabled by default. " +
|
|
|
9e33b5 |
+ "If you are sure the source data is trusted, you can enable " +
|
|
|
9e33b5 |
+ "it by setting org.apache.xmlrpc.allowInsecureDeserialization " +
|
|
|
9e33b5 |
+ "JVM property to 1");
|
|
|
9e33b5 |
+ }
|
|
|
9e33b5 |
try {
|
|
|
9e33b5 |
byte[] res = (byte[]) super.getResult();
|
|
|
9e33b5 |
ByteArrayInputStream bais = new ByteArrayInputStream(res);
|
|
|
9e33b5 |
--
|
|
|
9e33b5 |
2.17.0
|
|
|
9e33b5 |
|