backport CVE-2023-6378 #747
Conversation
Signed-off-by: Ceki Gulcu <ceki@qos.ch>
Signed-off-by: Ceki Gulcu <ceki@qos.ch>
Signed-off-by: Ceki Gulcu <ceki@qos.ch>
| final private static int DEPTH_LIMIT = 16; | ||
| final private static int ARRAY_LIMIT = 10000; |
There was a problem hiding this comment.
you forgot to use those. Did you have a merge conflict when cherry-picking 9c782b4 and 2cd8cab ?
Just for the record, although the PR has been already closed.
No I had no merge conflict for them. The fix of this CVE has been first announced for 1.13.12:
https://logback.qos.ch/news.html#1.3.12
Which is also reflected by the GitHub Advisory board accordingly:
So that I only cherry-picked the green commits below (from branch_1.3.x), but apparently there was more to it (the red commit by the 1.13.14 release) which you're asking about.
But apparently the fix had even much more to it than just cherry-picking as we see in bb09515.
| @@ -20,20 +20,22 @@ | |||
| */ | |||
| public class HardenedObjectInputStream extends ObjectInputStream { | |||
|
|
|||
| final List<String> whitelistedClassNames; | |||
| final static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util" }; | |||
| final private List<String> whitelistedClassNames; | |||
There was a problem hiding this comment.
these are currently unused, you're missing
private void initObjectFilter() {
this.setObjectInputFilter(ObjectInputFilter.Config.createFilter(
"maxarray=" + ARRAY_LIMIT + ";maxdepth=" + DEPTH_LIMIT + ";"
));
}
There was a problem hiding this comment.
these are currently unused, you're missing
private void initObjectFilter() { this.setObjectInputFilter(ObjectInputFilter.Config.createFilter( "maxarray=" + ARRAY_LIMIT + ";maxdepth=" + DEPTH_LIMIT + ";" )); }
Please see my answer above.
|
Please see if commit bb09515 works for you |
Thanks, then I simply close this PR as you're already on it. Looking forward to the upcoming |
With JDK8 all tests pass through
mvn test: