[jackson-databind] 03/04: Use the correct patch from Github.

Markus Koschany apo at moszumanska.debian.org
Fri Oct 20 13:05:25 UTC 2017 

This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch stretch
in repository jackson-databind.

commit c5a437a283808c5aae2fec52a0323e86938f755a
Author: Markus Koschany <apo at debian.org>
Date:   Thu Oct 19 01:19:33 2017 +0200

    Use the correct patch from Github.
---
 debian/patches/CVE-2017-7525.patch | 64 +++++++++++++++++++++++++++++---------
 1 file changed, 49 insertions(+), 15 deletions(-)

diff --git a/debian/patches/CVE-2017-7525.patch b/debian/patches/CVE-2017-7525.patch
index b4509d6..58f0dca 100644
--- a/debian/patches/CVE-2017-7525.patch
+++ b/debian/patches/CVE-2017-7525.patch
@@ -6,16 +6,53 @@ Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1599
 Bug-Debian: https://bugs.debian.org/870848
 Origin: https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1
 ---
- .../databind/deser/BeanDeserializerFactory.java    | 23 +++++++++++++
- .../databind/interop/IllegalTypesCheckTest.java    | 40 ++++++++++++++++++++++
- 2 files changed, 63 insertions(+)
+ .../databind/deser/BeanDeserializerFactory.java    | 50 ++++++++++++++++++++++
+ .../databind/interop/IllegalTypesCheckTest.java    | 40 +++++++++++++++++
+ 2 files changed, 90 insertions(+)
  create mode 100644 src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
 
 diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
-index 7815e53..abb0598 100644
+index 7815e53..a5853db 100644
 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
 +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
-@@ -137,6 +137,8 @@ public class BeanDeserializerFactory
+@@ -38,6 +38,36 @@ public class BeanDeserializerFactory
+     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
+ 
+     private final static Class<?>[] NO_VIEWS = new Class<?>[0];
++
++    /**
++     * Set of well-known "nasty classes", deserialization of which is considered dangerous
++     * and should (and is) prevented by default.
++     *
++     * @since 2.8.9
++     */
++    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
++    static {
++        Set<String> s = new HashSet<>();
++        // Courtesy of [https://github.com/kantega/notsoserial]:
++        // (and wrt [databind#1599]
++        s.add("org.apache.commons.collections.functors.InvokerTransformer");
++        s.add("org.apache.commons.collections.functors.InstantiateTransformer");
++        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
++        s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
++        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
++        s.add("org.codehaus.groovy.runtime.MethodClosure");
++        s.add("org.springframework.beans.factory.ObjectFactory");
++        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
++        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
++    }
++
++    /**
++     * Set of class names of types that are never to be deserialized.
++     *
++     * @since 2.8.9
++     */
++    protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
++
+     
+     /*
+     /**********************************************************
+@@ -137,6 +167,8 @@ public class BeanDeserializerFactory
          if (!isPotentialBeanType(type.getRawClass())) {
              return null;
          }
@@ -24,12 +61,12 @@ index 7815e53..abb0598 100644
          // Use generic bean introspection to build deserializer
          return buildBeanDeserializer(ctxt, type, beanDesc);
      }
-@@ -841,4 +843,25 @@ public class BeanDeserializerFactory
+@@ -841,4 +873,22 @@ public class BeanDeserializerFactory
          ignoredTypes.put(type, status);
          return status.booleanValue();
      }
 +
-+    /**
++     /**
 +     * @since 2.8.9
 +     */
 +    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
@@ -38,17 +75,14 @@ index 7815e53..abb0598 100644
 +    {
 +        // There are certain nasty classes that could cause problems, mostly
 +        // via default typing -- catch them here.
-+        Class<?> raw = type.getRawClass();
-+        String name = raw.getSimpleName();
++        String full = type.getRawClass().getName();
 +
-+        if ("TemplatesImpl".equals(name)) { // [databind#1599] 
-+            if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
-+                throw JsonMappingException.from(ctxt,
-+                        String.format("Illegal type (%s) to deserialize: prevented for security reasons",
-+                                name));
-+            }
++        if (_cfgIllegalClassNames.contains(full)) {
++            ctxt.reportBadTypeDefinition(beanDesc,
++                    "Illegal type (%s) to deserialize: prevented for security reasons", full);
 +        }
 +    }
++
  }
 diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
 new file mode 100644

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/jackson-databind.git

More information about the pkg-java-commits mailing list