packages/xmlrpc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
xmlrpc/xmlrpc-disallow-deserialization-of-ex-serializable-tags.patch
chengzihan2 35426729dd package init
2020-08-28 16:13:34 +08:00

36 lines
1.7 KiB
Diff
Raw Blame History

From 495d6136d9de5c0bbddadffe11b0841c6aafcb34 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Fri, 18 May 2018 15:22:49 +0200
Subject: [PATCH 1/2] Disallow deserialization of <ex:serializable> tags
Can be reenabled by setting JVM property
org.apache.xmlrpc.allowInsecureDeserialization to 1.
- Resolves CVE-2016-5003
---
.../java/org/apache/xmlrpc/parser/SerializableParser.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
index 18f25ac..c8bb7ed 100644
--- a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
+++ b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
@@ -29,6 +29,14 @@ import org.apache.xmlrpc.XmlRpcException;
*/
public class SerializableParser extends ByteArrayParser {
public Object getResult() throws XmlRpcException {
+ if (!"1".equals(System.getProperty("org.apache.xmlrpc.allowInsecureDeserialization"))) {
+ throw new UnsupportedOperationException(
+ "Deserialization of ex:serializable objects is vulnerable to " +
+ "remote execution attacks and is disabled by default. " +
+ "If you are sure the source data is trusted, you can enable " +
+ "it by setting org.apache.xmlrpc.allowInsecureDeserialization " +
+ "JVM property to 1");
+ }
try {
byte[] res = (byte[]) super.getResult();
ByteArrayInputStream bais = new ByteArrayInputStream(res);
--
2.17.0
Reference in New Issue View Git Blame Copy Permalink