ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)
Date Mon, 24 Feb 2020 10:58:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-10837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17043407#comment-17043407

ASF subversion and git services commented on OFBIZ-10837:

Commit e78cc49d713f40822608491230de8432aafdd875 in ofbiz-framework's branch refs/heads/release18.12
from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=e78cc49 ]

Fixed: Improve ObjectInputStream class (CVE-2019-0189)
Improved: no functional change
(OFBIZ-10837) (OFBIZ-11398)

Steps to generate:
1. Navigate to - catalog/control/EditProdCatalog?prodCatalogId=TestCatalog
3. The broken page will be displayed

The issue is due to the use of a GString in

    result.successMessageList = [
        "Categories updated: ${categoriesUpdated}",
        "Products updated: ${productsUpdated}"

As it's common to use such expressions I have added the necessary
org.codehaus.groovy.runtime.GStringImpl groovy.lang.GString
to the white list of classes in listOfSafeObjectsForInputStream in

I finally have also decided to use this property as default and commented for
committers to be aware that it should be also put in DEFAULT_WHITELIST_PATTERN
in SafeObjectInputStream class. Because if, for a reason,
listOfSafeObjectsForInputStream is empty OFBiz will still be protected

Thanks: Dikpal Kanungo for reporting

# Conflicts:
# SafeObjectInputStream.java
Handled by hand

> Improve ObjectInputStream class (CVE-2019-0189)
> -----------------------------------------------
>                 Key: OFBIZ-10837
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10837
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Release Branch 16.11, Release Branch 17.12, Release Branch 18.12
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 17.12.01, 16.11.06, 18.12.01
> As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1], a code
smell in Findbugs[2]) when extending to use the same name than the extended Object.[3]
> [1] [https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false]
>  [2] [https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html]
>  [3] Bug: The class name org.apache.ofbiz.base.util.ObjectInputStream shadows the simple
name of the superclass java.io.ObjectInputStream
> This class has a simple name that is identical to that of its superclass, except that
its superclass is in a different package (e.g., alpha.Foo extends beta.Foo). This can be exceptionally
confusing, create lots of situations in which you have to look at import statements to resolve
references and creates many opportunities to accidentally define methods that do not override
methods in their superclasses.
> Rank: Troubling (14), confidence: High
>  Type: Nm, Category: BAD_PRACTICE (Bad practice)
> {color:#de350b}2019/09/12: Initiallty this description was intentionnaly done to somehow
hide a security issue (CVE-2019-0189) while allowing to fix the bug.{color}

This message was sent by Atlassian Jira

View raw message