From 5d6fe1e8c071bd56cf08f86e337f617fc9895b30 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Fri, 18 May 2018 15:22:49 +0200
Subject: [PATCH] Disallow deserialization of <ex:serializable> tags

Can be reenabled by setting JVM property
org.apache.xmlrpc.allowInsecureDeserialization to 1.

- Resolves CVE-2016-5003
---
 .../java/org/apache/xmlrpc/parser/SerializableParser.java | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
index 18f25ac..c8bb7ed 100644
--- a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
+++ b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
@@ -29,6 +29,14 @@ import org.apache.xmlrpc.XmlRpcException;
  */
 public class SerializableParser extends ByteArrayParser {
 	public Object getResult() throws XmlRpcException {
+                if (!"1".equals(System.getProperty("org.apache.xmlrpc.allowInsecureDeserialization"))) {
+                    throw new UnsupportedOperationException(
+                            "Deserialization of ex:serializable objects is vulnerable to " +
+                            "remote execution attacks and is disabled by default. " +
+                            "If you are sure the source data is trusted, you can enable " +
+                            "it by setting org.apache.xmlrpc.allowInsecureDeserialization " +
+                            "JVM property to 1");
+                }
 		try {
 			byte[] res = (byte[]) super.getResult();
 			ByteArrayInputStream bais = new ByteArrayInputStream(res);
-- 
2.17.0