[logback] 02/03: Remove all test cases from CVE-2017-5929.patch and only apply the minimal
Markus Koschany
apo at moszumanska.debian.org
Tue Apr 4 13:56:33 UTC 2017
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch master
in repository logback.
commit 630ee5b892eaa6b0293c91ab39f9dc81ec6ce54d
Author: Markus Koschany <apo at debian.org>
Date: Tue Apr 4 14:47:45 2017 +0200
Remove all test cases from CVE-2017-5929.patch and only apply the minimal
changes to make it easier to review the package. Tests are disabled anyway.
---
debian/patches/CVE-2017-5929.patch | 195 +------------------------------------
1 file changed, 3 insertions(+), 192 deletions(-)
diff --git a/debian/patches/CVE-2017-5929.patch b/debian/patches/CVE-2017-5929.patch
index f63e939..cdf1058 100644
--- a/debian/patches/CVE-2017-5929.patch
+++ b/debian/patches/CVE-2017-5929.patch
@@ -6,16 +6,11 @@ Bug-Debian: https://bugs.debian.org/857343
Origin: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
---
.../logback/classic/net/SimpleSocketServer.java | 1 -
- .../server/LogbackClassicSerializationHelper.java | 28 +++++++++
- .../logback/classic/LoggerSerializationTest.java | 10 +++-
- .../core/net/HardenedObjectInputStream.java | 48 +++++++++++++++
- .../core/net/HardenedObjectInputStreamTest.java | 61 +++++++++++++++++++
- .../java/ch/qos/logback/core/net/Innocent.java | 69 ++++++++++++++++++++++
- 6 files changed, 215 insertions(+), 2 deletions(-)
+ .../server/LogbackClassicSerializationHelper.java | 28 +++++++++++++
+ .../core/net/HardenedObjectInputStream.java | 48 ++++++++++++++++++++++
+ 3 files changed, 76 insertions(+), 1 deletion(-)
create mode 100644 logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java
create mode 100644 logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
- create mode 100644 logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
- create mode 100644 logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java
diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java
index 13bf6f7..17fda2a 100644
@@ -63,48 +58,6 @@ index 0000000..00a974f
+ return whitelist;
+ }
+}
-diff --git a/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java b/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java
-index dd8b2e6..26e9b36 100644
---- a/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java
-+++ b/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java
-@@ -14,6 +14,10 @@
- package ch.qos.logback.classic;
-
- import java.io.*;
-+import java.util.List;
-+
-+import ch.qos.logback.classic.net.server.LogbackClassicSerializationHelper;
-+import ch.qos.logback.core.net.HardenedObjectInputStream;
-
- import ch.qos.logback.core.util.CoreTestConstants;
- import org.junit.After;
-@@ -37,6 +41,8 @@ public class LoggerSerializationTest {
- ObjectOutputStream oos;
- ObjectInputStream inputStream;
-
-+ List<String> whitelist ;
-+
- @Before
- public void setUp() throws Exception {
- lc = new LoggerContext();
-@@ -45,6 +51,8 @@ public class LoggerSerializationTest {
- // create the byte output stream
- bos = new ByteArrayOutputStream();
- oos = new ObjectOutputStream(bos);
-+ whitelist = LogbackClassicSerializationHelper.getWhilelist();
-+ whitelist.add(Foo.class.getName());
- }
-
- @After
-@@ -110,7 +118,7 @@ public class LoggerSerializationTest {
- private Foo writeAndRead(Foo foo) throws IOException, ClassNotFoundException {
- writeObject(oos, foo);
- ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
-- inputStream = new ObjectInputStream(bis);
-+ inputStream = new HardenedObjectInputStream(bis, whitelist);
- Foo fooBack = readFooObject(inputStream);
- inputStream.close();
- return fooBack;
diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
new file mode 100644
index 0000000..439e2bd
@@ -159,145 +112,3 @@ index 0000000..439e2bd
+ return false;
+ }
+}
-diff --git a/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
-new file mode 100644
-index 0000000..6a34897
---- /dev/null
-+++ b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
-@@ -0,0 +1,61 @@
-+package ch.qos.logback.core.net;
-+
-+import static org.junit.Assert.*;
-+
-+import java.io.ByteArrayInputStream;
-+import java.io.ByteArrayOutputStream;
-+import java.io.IOException;
-+import java.io.ObjectOutputStream;
-+import java.util.ArrayList;
-+import java.util.List;
-+
-+import org.junit.After;
-+import org.junit.Before;
-+import org.junit.Test;
-+
-+public class HardenedObjectInputStreamTest {
-+
-+ ByteArrayOutputStream bos;
-+ ObjectOutputStream oos;
-+ HardenedObjectInputStream inputStream;
-+ List<String> whitelist = new ArrayList<String>();
-+
-+ @Before
-+ public void setUp() throws Exception {
-+ whitelist.add(Innocent.class.getName());
-+ bos = new ByteArrayOutputStream();
-+ oos = new ObjectOutputStream(bos);
-+ }
-+
-+ @After
-+ public void tearDown() throws Exception {
-+ }
-+
-+ @Test
-+ public void smoke() throws ClassNotFoundException, IOException {
-+ Innocent innocent = new Innocent();
-+ innocent.setAnInt(1);
-+ innocent.setAnInteger(2);
-+ innocent.setaString("smoke");
-+ Innocent back = writeAndRead(innocent);
-+ assertEquals(innocent, back);
-+ }
-+
-+
-+
-+ private Innocent writeAndRead(Innocent innocent) throws IOException, ClassNotFoundException {
-+ writeObject(oos, innocent);
-+ ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
-+ inputStream = new HardenedObjectInputStream(bis, whitelist);
-+ Innocent fooBack = (Innocent) inputStream.readObject();
-+ inputStream.close();
-+ return fooBack;
-+ }
-+
-+ private void writeObject(ObjectOutputStream oos, Object o) throws IOException {
-+ oos.writeObject(o);
-+ oos.flush();
-+ oos.close();
-+ }
-+
-+}
-diff --git a/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java b/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java
-new file mode 100644
-index 0000000..2cef5a0
---- /dev/null
-+++ b/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java
-@@ -0,0 +1,69 @@
-+package ch.qos.logback.core.net;
-+
-+public class Innocent implements java.io.Serializable {
-+
-+ private static final long serialVersionUID = -1227008349289885025L;
-+
-+ int anInt;
-+ Integer anInteger;
-+ String aString;
-+
-+ public int getAnInt() {
-+ return anInt;
-+ }
-+
-+ public void setAnInt(int anInt) {
-+ this.anInt = anInt;
-+ }
-+
-+ public Integer getAnInteger() {
-+ return anInteger;
-+ }
-+
-+ public void setAnInteger(Integer anInteger) {
-+ this.anInteger = anInteger;
-+ }
-+
-+ public String getaString() {
-+ return aString;
-+ }
-+
-+ public void setaString(String aString) {
-+ this.aString = aString;
-+ }
-+
-+ @Override
-+ public int hashCode() {
-+ final int prime = 31;
-+ int result = 1;
-+ result = prime * result + ((aString == null) ? 0 : aString.hashCode());
-+ result = prime * result + anInt;
-+ result = prime * result + ((anInteger == null) ? 0 : anInteger.hashCode());
-+ return result;
-+ }
-+
-+ @Override
-+ public boolean equals(Object obj) {
-+ if (this == obj)
-+ return true;
-+ if (obj == null)
-+ return false;
-+ if (getClass() != obj.getClass())
-+ return false;
-+ Innocent other = (Innocent) obj;
-+ if (aString == null) {
-+ if (other.aString != null)
-+ return false;
-+ } else if (!aString.equals(other.aString))
-+ return false;
-+ if (anInt != other.anInt)
-+ return false;
-+ if (anInteger == null) {
-+ if (other.anInteger != null)
-+ return false;
-+ } else if (!anInteger.equals(other.anInteger))
-+ return false;
-+ return true;
-+ }
-+
-+}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/logback.git
More information about the pkg-java-commits
mailing list