Apache
/
commons-collections
mirror of https://github.com/apache/commons-collections.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[COLLECTIONS-580] Add javadoc, improve error message and apply review comments. 

git-svn-id: https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X@1713537 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Thomas Neidhart 2015-11-09 21:09:05 +00:00
parent fd61086df2
commit 5ec476b0b7
2 changed files with 27 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/java/org/apache/commons/collections/functors/InvokerTransformer.java
View File

@ -18,6 +18,7 @@ package org.apache.commons.collections.functors;
import java.io.IOException; import java.io.IOException;
import java.io.ObjectInputStream; import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable; import java.io.Serializable;
import java.lang.reflect.InvocationTargetException; import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method; import java.lang.reflect.Method;
@ -29,6 +30,17 @@ import org.apache.commons.collections.Transformer;
/** /**
* Transformer implementation that creates a new object instance by reflection. * Transformer implementation that creates a new object instance by reflection.
* <p>
* <b>WARNING:</b> from v3.2.2 onwards this class will throw an
* {@link UnsupportedOperationException} when trying to de-serialize an
* instance from a {@link ObjectOutputStream} to prevent potential
* remote code execution exploits.
* <p>
* In order to re-enable de-serialization of {@code InvokerTransformer}
* instances, the following system property can be used (via -Dproperty=true):
* <pre>
* org.apache.commons.collections.invokertransformer.enableDeserialization
* </pre>
* *
* @since Commons Collections 3.0 * @since Commons Collections 3.0
* @version $Revision$ $Date$ * @version $Revision$ $Date$
@ -160,8 +172,10 @@ public class InvokerTransformer implements Transformer, Serializable {
deserializeProperty = null; deserializeProperty = null;
} }
if (deserializeProperty == null || !deserializeProperty.equalsIgnoreCase("true")) { if (!"true".equalsIgnoreCase(deserializeProperty)) {
throw new UnsupportedOperationException("Deserialization of InvokerTransformer is disabled, "); throw new UnsupportedOperationException(
"Deserialization of InvokerTransformer is disabled for security reasons. " +
"To re-enable it set system property '" + DESERIALIZE + "' to 'true'");
} }
is.defaultReadObject(); is.defaultReadObject();

4
src/test/org/apache/commons/collections/functors/TestInvokerTransformer.java
View File

@ -44,6 +44,7 @@ public class TestInvokerTransformer extends BulkTest {
Assert.assertNull(System.getProperty(InvokerTransformer.DESERIALIZE)); Assert.assertNull(System.getProperty(InvokerTransformer.DESERIALIZE));
System.setProperty(InvokerTransformer.DESERIALIZE, "true"); System.setProperty(InvokerTransformer.DESERIALIZE, "true");
try {
InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]); InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
byte[] data = serialize(transformer); byte[] data = serialize(transformer);
Assert.assertNotNull(data); Assert.assertNotNull(data);
@ -53,9 +54,10 @@ public class TestInvokerTransformer extends BulkTest {
} catch (UnsupportedOperationException ex) { } catch (UnsupportedOperationException ex) {
fail("de-serialization of InvokerTransformer should be enabled"); fail("de-serialization of InvokerTransformer should be enabled");
} }
} finally {
System.clearProperty(InvokerTransformer.DESERIALIZE); System.clearProperty(InvokerTransformer.DESERIALIZE);
} }
}
private byte[] serialize(InvokerTransformer transformer) throws IOException { private byte[] serialize(InvokerTransformer transformer) throws IOException {
ByteArrayOutputStream baos = new ByteArrayOutputStream(); ByteArrayOutputStream baos = new ByteArrayOutputStream();