|
 |
3c398b |
From 5d6fe1e8c071bd56cf08f86e337f617fc9895b30 Mon Sep 17 00:00:00 2001
|
|
|
3c398b |
From: Michael Simacek <msimacek@redhat.com>
|
|
|
3c398b |
Date: Fri, 18 May 2018 15:22:49 +0200
|
|
|
3c398b |
Subject: [PATCH] Disallow deserialization of <ex:serializable> tags
|
|
|
3c398b |
|
|
|
3c398b |
Can be reenabled by setting JVM property
|
|
|
3c398b |
org.apache.xmlrpc.allowInsecureDeserialization to 1.
|
|
|
3c398b |
|
|
|
3c398b |
- Resolves CVE-2016-5003
|
|
|
3c398b |
---
|
|
|
3c398b |
.../java/org/apache/xmlrpc/parser/SerializableParser.java | 8 ++++++++
|
|
|
3c398b |
1 file changed, 8 insertions(+)
|
|
|
3c398b |
|
|
|
3c398b |
diff --git a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
|
|
|
3c398b |
index 18f25ac..c8bb7ed 100644
|
|
|
3c398b |
--- a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
|
|
|
3c398b |
+++ b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
|
|
|
3c398b |
@@ -29,6 +29,14 @@ import org.apache.xmlrpc.XmlRpcException;
|
|
|
3c398b |
*/
|
|
|
3c398b |
public class SerializableParser extends ByteArrayParser {
|
|
|
3c398b |
public Object getResult() throws XmlRpcException {
|
|
|
3c398b |
+ if (!"1".equals(System.getProperty("org.apache.xmlrpc.allowInsecureDeserialization"))) {
|
|
|
3c398b |
+ throw new UnsupportedOperationException(
|
|
|
3c398b |
+ "Deserialization of ex:serializable objects is vulnerable to " +
|
|
|
3c398b |
+ "remote execution attacks and is disabled by default. " +
|
|
|
3c398b |
+ "If you are sure the source data is trusted, you can enable " +
|
|
|
3c398b |
+ "it by setting org.apache.xmlrpc.allowInsecureDeserialization " +
|
|
|
3c398b |
+ "JVM property to 1");
|
|
|
3c398b |
+ }
|
|
|
3c398b |
try {
|
|
|
3c398b |
byte[] res = (byte[]) super.getResult();
|
|
|
3c398b |
ByteArrayInputStream bais = new ByteArrayInputStream(res);
|
|
|
3c398b |
--
|
|
|
3c398b |
2.17.0
|
|
|
3c398b |
|