|
 |
d24b4f |
diff --git a/src/java/org/apache/commons/collections/functors/CloneTransformer.java b/src/java/org/apache/commons/collections/functors/CloneTransformer.java
|
|
|
d24b4f |
index 7200402..3df18ff 100644
|
|
|
d24b4f |
--- a/src/java/org/apache/commons/collections/functors/CloneTransformer.java
|
|
|
d24b4f |
+++ b/src/java/org/apache/commons/collections/functors/CloneTransformer.java
|
|
|
d24b4f |
@@ -16,6 +16,9 @@
|
|
|
d24b4f |
*/
|
|
|
d24b4f |
package org.apache.commons.collections.functors;
|
|
|
d24b4f |
|
|
|
d24b4f |
+import java.io.IOException;
|
|
|
d24b4f |
+import java.io.ObjectInputStream;
|
|
|
d24b4f |
+import java.io.ObjectOutputStream;
|
|
|
d24b4f |
import java.io.Serializable;
|
|
|
d24b4f |
|
|
|
d24b4f |
import org.apache.commons.collections.Transformer;
|
|
|
d24b4f |
@@ -24,6 +27,16 @@ import org.apache.commons.collections.Transformer;
|
|
|
d24b4f |
* Transformer implementation that returns a clone of the input object.
|
|
|
d24b4f |
*
|
|
|
d24b4f |
* Clone is performed using PrototypeFactory.getInstance(input).create().
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * WARNING: This class will throw an
|
|
|
d24b4f |
+ * {@link UnsupportedOperationException} when trying to serialize or
|
|
|
d24b4f |
+ * de-serialize an instance to prevent potential remote code execution exploits.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * In order to re-enable serialization support for {@code CloneTransformer}
|
|
|
d24b4f |
+ * the following system property can be used (via -Dproperty=true):
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * org.apache.commons.collections.enableUnsafeSerialization
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
*
|
|
|
d24b4f |
* @since Commons Collections 3.0
|
|
|
d24b4f |
* @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
|
|
|
d24b4f |
@@ -68,4 +81,21 @@ public class CloneTransformer implements Transformer, Serializable {
|
|
|
d24b4f |
return PrototypeFactory.getInstance(input).create();
|
|
|
d24b4f |
}
|
|
|
d24b4f |
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default writeObject implementation to prevent
|
|
|
d24b4f |
+ * serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void writeObject(ObjectOutputStream os) throws IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(CloneTransformer.class);
|
|
|
d24b4f |
+ os.defaultWriteObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default readObject implementation to prevent
|
|
|
d24b4f |
+ * de-serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(CloneTransformer.class);
|
|
|
d24b4f |
+ is.defaultReadObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
}
|
|
|
d24b4f |
diff --git a/src/java/org/apache/commons/collections/functors/ForClosure.java b/src/java/org/apache/commons/collections/functors/ForClosure.java
|
|
|
d24b4f |
index f0355c4..e15475c 100644
|
|
|
d24b4f |
--- a/src/java/org/apache/commons/collections/functors/ForClosure.java
|
|
|
d24b4f |
+++ b/src/java/org/apache/commons/collections/functors/ForClosure.java
|
|
|
d24b4f |
@@ -16,12 +16,25 @@
|
|
|
d24b4f |
*/
|
|
|
d24b4f |
package org.apache.commons.collections.functors;
|
|
|
d24b4f |
|
|
|
d24b4f |
+import java.io.IOException;
|
|
|
d24b4f |
+import java.io.ObjectInputStream;
|
|
|
d24b4f |
+import java.io.ObjectOutputStream;
|
|
|
d24b4f |
import java.io.Serializable;
|
|
|
d24b4f |
|
|
|
d24b4f |
import org.apache.commons.collections.Closure;
|
|
|
d24b4f |
|
|
|
d24b4f |
/**
|
|
|
d24b4f |
* Closure implementation that calls another closure n times, like a for loop.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * WARNING: This class will throw an
|
|
|
d24b4f |
+ * {@link UnsupportedOperationException} when trying to serialize or
|
|
|
d24b4f |
+ * de-serialize an instance to prevent potential remote code execution exploits.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * In order to re-enable serialization support for {@code ForClosure}
|
|
|
d24b4f |
+ * the following system property can be used (via -Dproperty=true):
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * org.apache.commons.collections.enableUnsafeSerialization
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
*
|
|
|
d24b4f |
* @since Commons Collections 3.0
|
|
|
d24b4f |
* @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
|
|
|
d24b4f |
@@ -102,4 +115,22 @@ public class ForClosure implements Closure, Serializable {
|
|
|
d24b4f |
return iCount;
|
|
|
d24b4f |
}
|
|
|
d24b4f |
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default writeObject implementation to prevent
|
|
|
d24b4f |
+ * serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void writeObject(ObjectOutputStream os) throws IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(ForClosure.class);
|
|
|
d24b4f |
+ os.defaultWriteObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default readObject implementation to prevent
|
|
|
d24b4f |
+ * de-serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(ForClosure.class);
|
|
|
d24b4f |
+ is.defaultReadObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
}
|
|
|
d24b4f |
diff --git a/src/java/org/apache/commons/collections/functors/FunctorUtils.java b/src/java/org/apache/commons/collections/functors/FunctorUtils.java
|
|
|
d24b4f |
index 75f8d9b..aa7bec3 100644
|
|
|
d24b4f |
--- a/src/java/org/apache/commons/collections/functors/FunctorUtils.java
|
|
|
d24b4f |
+++ b/src/java/org/apache/commons/collections/functors/FunctorUtils.java
|
|
|
d24b4f |
@@ -16,6 +16,8 @@
|
|
|
d24b4f |
*/
|
|
|
d24b4f |
package org.apache.commons.collections.functors;
|
|
|
d24b4f |
|
|
|
d24b4f |
+import java.security.AccessController;
|
|
|
d24b4f |
+import java.security.PrivilegedAction;
|
|
|
d24b4f |
import java.util.Collection;
|
|
|
d24b4f |
import java.util.Iterator;
|
|
|
d24b4f |
|
|
|
d24b4f |
@@ -33,7 +35,11 @@ import org.apache.commons.collections.Transformer;
|
|
|
d24b4f |
* @author Matt Benson
|
|
|
d24b4f |
*/
|
|
|
d24b4f |
class FunctorUtils {
|
|
|
d24b4f |
-
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /** System property key to enable unsafe serialization */
|
|
|
d24b4f |
+ final static String UNSAFE_SERIALIZABLE_PROPERTY
|
|
|
d24b4f |
+ = "org.apache.commons.collections.enableUnsafeSerialization";
|
|
|
d24b4f |
+
|
|
|
d24b4f |
/**
|
|
|
d24b4f |
* Restricted constructor.
|
|
|
d24b4f |
*/
|
|
|
d24b4f |
@@ -152,4 +158,33 @@ class FunctorUtils {
|
|
|
d24b4f |
}
|
|
|
d24b4f |
}
|
|
|
d24b4f |
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Package-private helper method to check if serialization support is
|
|
|
d24b4f |
+ * enabled for unsafe classes.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * @param clazz the clazz to check for serialization support
|
|
|
d24b4f |
+ * @throws UnsupportedOperationException if unsafe serialization is disabled
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ static void checkUnsafeSerialization(Class clazz) {
|
|
|
d24b4f |
+ String unsafeSerializableProperty;
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ try {
|
|
|
d24b4f |
+ unsafeSerializableProperty =
|
|
|
d24b4f |
+ (String) AccessController.doPrivileged(new PrivilegedAction() {
|
|
|
d24b4f |
+ public Object run() {
|
|
|
d24b4f |
+ return System.getProperty(UNSAFE_SERIALIZABLE_PROPERTY);
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+ });
|
|
|
d24b4f |
+ } catch (SecurityException ex) {
|
|
|
d24b4f |
+ unsafeSerializableProperty = null;
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ if (!"true".equalsIgnoreCase(unsafeSerializableProperty)) {
|
|
|
d24b4f |
+ throw new UnsupportedOperationException(
|
|
|
d24b4f |
+ "Serialization support for " + clazz.getName() + " is disabled for security reasons. " +
|
|
|
d24b4f |
+ "To enable it set system property '" + UNSAFE_SERIALIZABLE_PROPERTY + "' to 'true', " +
|
|
|
d24b4f |
+ "but you must ensure that your application does not de-serialize objects from untrusted sources.");
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
}
|
|
|
d24b4f |
diff --git a/src/java/org/apache/commons/collections/functors/InstantiateFactory.java b/src/java/org/apache/commons/collections/functors/InstantiateFactory.java
|
|
|
d24b4f |
index 5d375de..938d6dc 100644
|
|
|
d24b4f |
--- a/src/java/org/apache/commons/collections/functors/InstantiateFactory.java
|
|
|
d24b4f |
+++ b/src/java/org/apache/commons/collections/functors/InstantiateFactory.java
|
|
|
d24b4f |
@@ -16,6 +16,9 @@
|
|
|
d24b4f |
*/
|
|
|
d24b4f |
package org.apache.commons.collections.functors;
|
|
|
d24b4f |
|
|
|
d24b4f |
+import java.io.IOException;
|
|
|
d24b4f |
+import java.io.ObjectInputStream;
|
|
|
d24b4f |
+import java.io.ObjectOutputStream;
|
|
|
d24b4f |
import java.io.Serializable;
|
|
|
d24b4f |
import java.lang.reflect.Constructor;
|
|
|
d24b4f |
import java.lang.reflect.InvocationTargetException;
|
|
|
d24b4f |
@@ -25,6 +28,16 @@ import org.apache.commons.collections.FunctorException;
|
|
|
d24b4f |
|
|
|
d24b4f |
/**
|
|
|
d24b4f |
* Factory implementation that creates a new object instance by reflection.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * WARNING: This class will throw an
|
|
|
d24b4f |
+ * {@link UnsupportedOperationException} when trying to serialize or
|
|
|
d24b4f |
+ * de-serialize an instance to prevent potential remote code execution exploits.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * In order to re-enable serialization support for {@code InstantiateTransformer}
|
|
|
d24b4f |
+ * the following system property can be used (via -Dproperty=true):
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * org.apache.commons.collections.enableUnsafeSerialization
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
*
|
|
|
d24b4f |
* @since Commons Collections 3.0
|
|
|
d24b4f |
* @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
|
|
|
d24b4f |
@@ -136,5 +149,22 @@ public class InstantiateFactory implements Factory, Serializable {
|
|
|
d24b4f |
throw new FunctorException("InstantiateFactory: Constructor threw an exception", ex);
|
|
|
d24b4f |
}
|
|
|
d24b4f |
}
|
|
|
d24b4f |
-
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default writeObject implementation to prevent
|
|
|
d24b4f |
+ * serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void writeObject(ObjectOutputStream os) throws IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(InstantiateFactory.class);
|
|
|
d24b4f |
+ os.defaultWriteObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default readObject implementation to prevent
|
|
|
d24b4f |
+ * de-serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(InstantiateFactory.class);
|
|
|
d24b4f |
+ is.defaultReadObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
}
|
|
|
d24b4f |
diff --git a/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java b/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java
|
|
|
d24b4f |
index 73d6b2f..4927f05 100644
|
|
|
d24b4f |
--- a/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java
|
|
|
d24b4f |
+++ b/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java
|
|
|
d24b4f |
@@ -16,6 +16,9 @@
|
|
|
d24b4f |
*/
|
|
|
d24b4f |
package org.apache.commons.collections.functors;
|
|
|
d24b4f |
|
|
|
d24b4f |
+import java.io.IOException;
|
|
|
d24b4f |
+import java.io.ObjectInputStream;
|
|
|
d24b4f |
+import java.io.ObjectOutputStream;
|
|
|
d24b4f |
import java.io.Serializable;
|
|
|
d24b4f |
import java.lang.reflect.Constructor;
|
|
|
d24b4f |
import java.lang.reflect.InvocationTargetException;
|
|
|
d24b4f |
@@ -25,6 +28,16 @@ import org.apache.commons.collections.Transformer;
|
|
|
d24b4f |
|
|
|
d24b4f |
/**
|
|
|
d24b4f |
* Transformer implementation that creates a new object instance by reflection.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * WARNING: This class will throw an
|
|
|
d24b4f |
+ * {@link UnsupportedOperationException} when trying to serialize or
|
|
|
d24b4f |
+ * de-serialize an instance to prevent potential remote code execution exploits.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * In order to re-enable serialization support for {@code InstantiateTransformer}
|
|
|
d24b4f |
+ * the following system property can be used (via -Dproperty=true):
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * org.apache.commons.collections.enableUnsafeSerialization
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
*
|
|
|
d24b4f |
* @since Commons Collections 3.0
|
|
|
d24b4f |
* @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
|
|
|
d24b4f |
@@ -116,4 +129,22 @@ public class InstantiateTransformer implements Transformer, Serializable {
|
|
|
d24b4f |
}
|
|
|
d24b4f |
}
|
|
|
d24b4f |
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default writeObject implementation to prevent
|
|
|
d24b4f |
+ * serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void writeObject(ObjectOutputStream os) throws IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(InstantiateTransformer.class);
|
|
|
d24b4f |
+ os.defaultWriteObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default readObject implementation to prevent
|
|
|
d24b4f |
+ * de-serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(InstantiateTransformer.class);
|
|
|
d24b4f |
+ is.defaultReadObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
}
|
|
|
d24b4f |
diff --git a/src/java/org/apache/commons/collections/functors/InvokerTransformer.java b/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
|
|
|
d24b4f |
index 6f60961..75f48af 100644
|
|
|
d24b4f |
--- a/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
|
|
|
d24b4f |
+++ b/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
|
|
|
d24b4f |
@@ -16,6 +16,9 @@
|
|
|
d24b4f |
*/
|
|
|
d24b4f |
package org.apache.commons.collections.functors;
|
|
|
d24b4f |
|
|
|
d24b4f |
+import java.io.IOException;
|
|
|
d24b4f |
+import java.io.ObjectInputStream;
|
|
|
d24b4f |
+import java.io.ObjectOutputStream;
|
|
|
d24b4f |
import java.io.Serializable;
|
|
|
d24b4f |
import java.lang.reflect.InvocationTargetException;
|
|
|
d24b4f |
import java.lang.reflect.Method;
|
|
|
d24b4f |
@@ -25,6 +28,16 @@ import org.apache.commons.collections.Transformer;
|
|
|
d24b4f |
|
|
|
d24b4f |
/**
|
|
|
d24b4f |
* Transformer implementation that creates a new object instance by reflection.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * WARNING: This class will throw an
|
|
|
d24b4f |
+ * {@link UnsupportedOperationException} when trying to serialize or
|
|
|
d24b4f |
+ * de-serialize an instance to prevent potential remote code execution exploits.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * In order to re-enable serialization support for {@code InvokerTransformer}
|
|
|
d24b4f |
+ * the following system property can be used (via -Dproperty=true):
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * org.apache.commons.collections.enableUnsafeSerialization
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
*
|
|
|
d24b4f |
* @since Commons Collections 3.0
|
|
|
d24b4f |
* @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
|
|
|
d24b4f |
@@ -134,4 +147,21 @@ public class InvokerTransformer implements Transformer, Serializable {
|
|
|
d24b4f |
}
|
|
|
d24b4f |
}
|
|
|
d24b4f |
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default writeObject implementation to prevent
|
|
|
d24b4f |
+ * serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void writeObject(ObjectOutputStream os) throws IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(InvokerTransformer.class);
|
|
|
d24b4f |
+ os.defaultWriteObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default readObject implementation to prevent
|
|
|
d24b4f |
+ * de-serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(InvokerTransformer.class);
|
|
|
d24b4f |
+ is.defaultReadObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
}
|
|
|
d24b4f |
diff --git a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
|
|
|
d24b4f |
index 4fa4150..d9908fa 100644
|
|
|
d24b4f |
--- a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
|
|
|
d24b4f |
+++ b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
|
|
|
d24b4f |
@@ -49,6 +49,16 @@ public class PrototypeFactory {
|
|
|
d24b4f |
* public copy constructor
|
|
|
d24b4f |
* serialization clone
|
|
|
d24b4f |
*
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * WARNING: This method will return a {@code Factory}
|
|
|
d24b4f |
+ * that will throw an {@link UnsupportedOperationException} when trying to serialize
|
|
|
d24b4f |
+ * or de-serialize it to prevent potential remote code execution exploits.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * In order to re-enable serialization support the following system property
|
|
|
d24b4f |
+ * can be used (via -Dproperty=true):
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * org.apache.commons.collections.enableUnsafeSerialization
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
*
|
|
|
d24b4f |
* @param prototype the object to clone each time in the factory
|
|
|
d24b4f |
* @return the prototype factory
|
|
|
d24b4f |
@@ -144,6 +154,24 @@ public class PrototypeFactory {
|
|
|
d24b4f |
throw new FunctorException("PrototypeCloneFactory: Clone method threw an exception", ex);
|
|
|
d24b4f |
}
|
|
|
d24b4f |
}
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default writeObject implementation to prevent
|
|
|
d24b4f |
+ * serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void writeObject(ObjectOutputStream os) throws IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
|
|
|
d24b4f |
+ os.defaultWriteObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default readObject implementation to prevent
|
|
|
d24b4f |
+ * de-serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
|
|
|
d24b4f |
+ is.defaultReadObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
}
|
|
|
d24b4f |
|
|
|
d24b4f |
// PrototypeSerializationFactory
|
|
|
d24b4f |
@@ -204,6 +232,24 @@ public class PrototypeFactory {
|
|
|
d24b4f |
}
|
|
|
d24b4f |
}
|
|
|
d24b4f |
}
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default writeObject implementation to prevent
|
|
|
d24b4f |
+ * serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void writeObject(ObjectOutputStream os) throws IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
|
|
|
d24b4f |
+ os.defaultWriteObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default readObject implementation to prevent
|
|
|
d24b4f |
+ * de-serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
|
|
|
d24b4f |
+ is.defaultReadObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
}
|
|
|
d24b4f |
|
|
|
d24b4f |
}
|
|
|
d24b4f |
diff --git a/src/java/org/apache/commons/collections/functors/WhileClosure.java b/src/java/org/apache/commons/collections/functors/WhileClosure.java
|
|
|
d24b4f |
index 853e83a..596afc8 100644
|
|
|
d24b4f |
--- a/src/java/org/apache/commons/collections/functors/WhileClosure.java
|
|
|
d24b4f |
+++ b/src/java/org/apache/commons/collections/functors/WhileClosure.java
|
|
|
d24b4f |
@@ -16,6 +16,9 @@
|
|
|
d24b4f |
*/
|
|
|
d24b4f |
package org.apache.commons.collections.functors;
|
|
|
d24b4f |
|
|
|
d24b4f |
+import java.io.IOException;
|
|
|
d24b4f |
+import java.io.ObjectInputStream;
|
|
|
d24b4f |
+import java.io.ObjectOutputStream;
|
|
|
d24b4f |
import java.io.Serializable;
|
|
|
d24b4f |
|
|
|
d24b4f |
import org.apache.commons.collections.Closure;
|
|
|
d24b4f |
@@ -24,6 +27,16 @@ import org.apache.commons.collections.Predicate;
|
|
|
d24b4f |
/**
|
|
|
d24b4f |
* Closure implementation that executes a closure repeatedly until a condition is met,
|
|
|
d24b4f |
* like a do-while or while loop.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * WARNING: This class will throw an
|
|
|
d24b4f |
+ * {@link UnsupportedOperationException} when trying to serialize or
|
|
|
d24b4f |
+ * de-serialize an instance to prevent potential remote code execution exploits.
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * In order to re-enable serialization support for {@code WhileClosure}
|
|
|
d24b4f |
+ * the following system property can be used (via -Dproperty=true):
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
+ * org.apache.commons.collections.enableUnsafeSerialization
|
|
|
d24b4f |
+ *
|
|
|
d24b4f |
*
|
|
|
d24b4f |
* @since Commons Collections 3.0
|
|
|
d24b4f |
* @version $Revision: 646777 $ $Date: 2008-04-10 13:33:15 +0100 (Thu, 10 Apr 2008) $
|
|
|
d24b4f |
@@ -120,4 +133,22 @@ public class WhileClosure implements Closure, Serializable {
|
|
|
d24b4f |
return iDoLoop;
|
|
|
d24b4f |
}
|
|
|
d24b4f |
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default writeObject implementation to prevent
|
|
|
d24b4f |
+ * serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void writeObject(ObjectOutputStream os) throws IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(WhileClosure.class);
|
|
|
d24b4f |
+ os.defaultWriteObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
+ /**
|
|
|
d24b4f |
+ * Overrides the default readObject implementation to prevent
|
|
|
d24b4f |
+ * de-serialization (see COLLECTIONS-580).
|
|
|
d24b4f |
+ */
|
|
|
d24b4f |
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
|
|
|
d24b4f |
+ FunctorUtils.checkUnsafeSerialization(WhileClosure.class);
|
|
|
d24b4f |
+ is.defaultReadObject();
|
|
|
d24b4f |
+ }
|
|
|
d24b4f |
+
|
|
|
d24b4f |
}
|
|
|
d24b4f |
diff --git a/src/test/org/apache/commons/collections/TestFactoryUtils.java b/src/test/org/apache/commons/collections/TestFactoryUtils.java
|
|
|
d24b4f |
index 0895903..bc7d729 100644
|
|
|
d24b4f |
--- a/src/test/org/apache/commons/collections/TestFactoryUtils.java
|
|
|
d24b4f |
+++ b/src/test/org/apache/commons/collections/TestFactoryUtils.java
|
|
|
d24b4f |
@@ -136,15 +136,6 @@ public class TestFactoryUtils extends junit.framework.TestCase {
|
|
|
d24b4f |
Object created = factory.create();
|
|
|
d24b4f |
assertTrue(proto != created);
|
|
|
d24b4f |
assertEquals(proto, created);
|
|
|
d24b4f |
-
|
|
|
d24b4f |
- // check serialisation works
|
|
|
d24b4f |
- ByteArrayOutputStream buffer = new ByteArrayOutputStream();
|
|
|
d24b4f |
- ObjectOutputStream out = new ObjectOutputStream(buffer);
|
|
|
d24b4f |
- out.writeObject(factory);
|
|
|
d24b4f |
- out.close();
|
|
|
d24b4f |
- ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(buffer.toByteArray()));
|
|
|
d24b4f |
- Object dest = in.readObject();
|
|
|
d24b4f |
- in.close();
|
|
|
d24b4f |
}
|
|
|
d24b4f |
|
|
|
d24b4f |
public void testPrototypeFactoryPublicCopyConstructor() throws Exception {
|
|
|
d24b4f |
@@ -154,23 +145,6 @@ public class TestFactoryUtils extends junit.framework.TestCase {
|
|
|
d24b4f |
Object created = factory.create();
|
|
|
d24b4f |
assertTrue(proto != created);
|
|
|
d24b4f |
assertEquals(proto, created);
|
|
|
d24b4f |
-
|
|
|
d24b4f |
- // check serialisation works
|
|
|
d24b4f |
- ByteArrayOutputStream buffer = new ByteArrayOutputStream();
|
|
|
d24b4f |
- ObjectOutputStream out = new ObjectOutputStream(buffer);
|
|
|
d24b4f |
- try {
|
|
|
d24b4f |
- out.writeObject(factory);
|
|
|
d24b4f |
- } catch (NotSerializableException ex) {
|
|
|
d24b4f |
- out.close();
|
|
|
d24b4f |
- }
|
|
|
d24b4f |
- factory = FactoryUtils.prototypeFactory(new Mock2("S"));
|
|
|
d24b4f |
- buffer = new ByteArrayOutputStream();
|
|
|
d24b4f |
- out = new ObjectOutputStream(buffer);
|
|
|
d24b4f |
- out.writeObject(factory);
|
|
|
d24b4f |
- out.close();
|
|
|
d24b4f |
- ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(buffer.toByteArray()));
|
|
|
d24b4f |
- Object dest = in.readObject();
|
|
|
d24b4f |
- in.close();
|
|
|
d24b4f |
}
|
|
|
d24b4f |
|
|
|
d24b4f |
public void testPrototypeFactoryPublicSerialization() throws Exception {
|
|
|
d24b4f |
@@ -180,15 +154,6 @@ public class TestFactoryUtils extends junit.framework.TestCase {
|
|
|
d24b4f |
Object created = factory.create();
|
|
|
d24b4f |
assertTrue(proto != created);
|
|
|
d24b4f |
assertEquals(proto, created);
|
|
|
d24b4f |
-
|
|
|
d24b4f |
- // check serialisation works
|
|
|
d24b4f |
- ByteArrayOutputStream buffer = new ByteArrayOutputStream();
|
|
|
d24b4f |
- ObjectOutputStream out = new ObjectOutputStream(buffer);
|
|
|
d24b4f |
- out.writeObject(factory);
|
|
|
d24b4f |
- out.close();
|
|
|
d24b4f |
- ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(buffer.toByteArray()));
|
|
|
d24b4f |
- Object dest = in.readObject();
|
|
|
d24b4f |
- in.close();
|
|
|
d24b4f |
}
|
|
|
d24b4f |
|
|
|
d24b4f |
public void testPrototypeFactoryPublicSerializationError() {
|