Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.2:PowerPC
xstream
0001-Prevent-deserialization-of-void.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Prevent-deserialization-of-void.patch of Package xstream
From 376175c482a4914c8d288cf663f978dfb5e55849 Mon Sep 17 00:00:00 2001 From: Michael Simacek <msimacek@redhat.com> Date: Wed, 12 Apr 2017 12:19:21 +0200 Subject: [PATCH] Prevent deserialization of void --- .../SunLimitedUnsafeReflectionProvider.java | 22 ++++++++++++-------- .../xstream/security/PrimitiveTypePermission.java | 5 +++-- .../acceptance/SecurityVulnerabilityTest.java | 24 +++++++++++++++++++++- 3 files changed, 39 insertions(+), 12 deletions(-) diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java index 2c569ae..491f0d6 100644 --- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java +++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java @@ -1,6 +1,6 @@ /* * Copyright (C) 2004, 2005 Joe Walnes. - * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016 XStream Committers. + * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers. * All rights reserved. * * Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider @@ -78,14 +78,18 @@ public class SunLimitedUnsafeReflectionProvider extends PureJavaReflectionProvid throw ex; } ErrorWritingException ex = null; - try { - return unsafe.allocateInstance(type); - } catch (SecurityException e) { - ex = new ObjectAccessException("Cannot construct type", e); - } catch (InstantiationException e) { - ex = new ConversionException("Cannot construct type", e); - } catch (IllegalArgumentException e) { - ex = new ObjectAccessException("Cannot construct type", e); + if (type == void.class || type == Void.class) { + ex = new ConversionException("Type void cannot have an instance"); + } else { + try { + return unsafe.allocateInstance(type); + } catch (SecurityException e) { + ex = new ObjectAccessException("Cannot construct type", e); + } catch (InstantiationException e) { + ex = new ConversionException("Cannot construct type", e); + } catch (IllegalArgumentException e) { + ex = new ObjectAccessException("Cannot construct type", e); + } } ex.add("construction-type", type.getName()); throw ex; diff --git a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java index fb69b95..c3cbad9 100644 --- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java +++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 XStream Committers. + * Copyright (C) 2014, 2017 XStream Committers. * All rights reserved. * * Created on 09. January 2014 by Joerg Schaible @@ -8,8 +8,9 @@ package com.thoughtworks.xstream.security; import com.thoughtworks.xstream.core.util.Primitives; + /** - * Permission for any primitive type and its boxed counterpart (incl. void). + * Permission for any primitive type and its boxed counterpart (excl. void). * * @author Jörg Schaible * @since 1.4.7 diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java index c77b3ce..0180fd7 100644 --- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java +++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013, 2014 XStream Committers. + * Copyright (C) 2013, 2014, 2017 XStream Committers. * All rights reserved. * * The software in this package is published under the terms of the BSD @@ -13,9 +13,12 @@ package com.thoughtworks.acceptance; import java.beans.EventHandler; import com.thoughtworks.xstream.XStreamException; +import com.thoughtworks.xstream.converters.ConversionException; import com.thoughtworks.xstream.converters.reflection.ReflectionConverter; +import com.thoughtworks.xstream.security.ForbiddenClassException; import com.thoughtworks.xstream.security.ProxyTypePermission; + /** * @author Jörg Schaible */ @@ -80,4 +83,23 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest { BUFFER.append("Executed!"); } } + + public void testDeniedInstanceOfVoid() { + try { + xstream.fromXML("<void/>"); + fail("Thrown " + ForbiddenClassException.class.getName() + " expected"); + } catch (final ForbiddenClassException e) { + // OK + } + } + + public void testAllowedInstanceOfVoid() { + xstream.allowTypes(void.class, Void.class); + try { + xstream.fromXML("<void/>"); + fail("Thrown " + ConversionException.class.getName() + " expected"); + } catch (final ConversionException e) { + assertEquals("void", e.get("construction-type")); + } + } } -- 2.9.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor