packages/xstream
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
xstream/CVE-2020-26258.patch
wang_yue111 ddfb9cac0a fix CVE-2020-26258 and CVE-2020-26259
2021-01-12 09:47:28 +08:00

26 lines
1.0 KiB
Diff
Raw Blame History

From f391169515d77446e94da4836eb65adfbc8acfa2 Mon Sep 17 00:00:00 2001
Date: Mon, 11 Jan 2021 17:32:52 +0800
Subject: [PATCH] Fix and document CVE-2020-26258.
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
index 692243e..8a4b104 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -698,7 +698,11 @@ public class XStream {
}
addPermission(AnyTypePermission.ANY);
- denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
+ denyTypes(new String[]{
+ "java.beans.EventHandler", //
+ "java.lang.ProcessBuilder", //
+ "javax.imageio.ImageIO$ContainsFilter", //
+ "jdk.nashorn.internal.objects.NativeString"});
denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
allowTypeHierarchy(Exception.class);
securityInitialized = false;
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink