|
0 |
From: Hideki Yamane <henrich@debian.org>
|
|
1 |
Date: Thu, 17 Jun 2021 21:42:35 +0900
|
|
2 |
Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491)
|
|
3 |
|
|
4 |
See https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
|
|
5 |
---
|
|
6 |
xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++--
|
|
7 |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
8 |
|
|
9 |
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
|
10 |
index b5e43af..7a166ca 100644
|
|
11 |
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
|
12 |
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
|
13 |
@@ -336,11 +336,13 @@ public class XStream {
|
|
14 |
private static final Pattern IGNORE_ALL = Pattern.compile(".*");
|
|
15 |
private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
|
|
16 |
private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
|
|
17 |
+ private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*");
|
|
18 |
private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
|
|
19 |
private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
|
|
20 |
private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
|
|
21 |
"javafx\\.collections\\.ObservableList\\$.*");
|
|
22 |
private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
|
|
23 |
+ private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*");
|
|
24 |
private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
|
|
25 |
|
|
26 |
/**
|
|
27 |
@@ -657,8 +659,8 @@ public class XStream {
|
|
28 |
"sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
|
|
29 |
"sun.swing.SwingLazyValue"});
|
|
30 |
denyTypesByRegExp(new Pattern[]{
|
|
31 |
- LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
|
|
32 |
- JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
|
|
33 |
+ LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO,
|
|
34 |
+ JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
|
|
35 |
denyTypeHierarchy(InputStream.class);
|
|
36 |
denyTypeHierarchyDynamically("java.nio.channels.Channel");
|
|
37 |
denyTypeHierarchyDynamically("javax.activation.DataSource");
|