[COLLECTIONS-580] Add fix for PrototypeFactory as well.

git-svn-id: https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X@1713849 13f79535-47bb-0310-9956-ffa450edef68

src/java/org/apache/commons/collections/functors/PrototypeFactory.java

@@ -49,6 +49,16 @@ public class PrototypeFactory {
      * <li>public copy constructor
      * <li>serialization clone
      * <ul>
+     * <p>
+     * <b>WARNING:</b> from v3.2.2 onwards this method will return a {@code Factory}
+     * that will throw an {@link UnsupportedOperationException} when trying to serialize
+     * or de-serialize it to prevent potential remote code execution exploits.
+     * <p>
+     * In order to re-enable serialization support the following system property
+     * can be used (via -Dproperty=true):
+     * <pre>
+     * org.apache.commons.collections.enableUnsafeSerialization
+     * </pre>
      *
      * @param prototype  the object to clone each time in the factory
      * @return the <code>prototype</code> factory
@@ -144,6 +154,24 @@ public Object create() {
                 throw new FunctorException("PrototypeCloneFactory: Clone method threw an exception", ex);
             }
         }
+
+        /**
+         * Overrides the default writeObject implementation to prevent
+         * serialization (see COLLECTIONS-580).
+         */
+        private void writeObject(ObjectOutputStream os) throws IOException {
+            FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
+            os.defaultWriteObject();
+        }
+
+        /**
+         * Overrides the default readObject implementation to prevent
+         * de-serialization (see COLLECTIONS-580).
+         */
+        private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
+            FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
+            is.defaultReadObject();
+        }
     }
 
     // PrototypeSerializationFactory
@@ -204,6 +232,24 @@ public Object create() {
                 }
             }
         }
+
+        /**
+         * Overrides the default writeObject implementation to prevent
+         * serialization (see COLLECTIONS-580).
+         */
+        private void writeObject(ObjectOutputStream os) throws IOException {
+            FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
+            os.defaultWriteObject();
+        }
+
+        /**
+         * Overrides the default readObject implementation to prevent
+         * de-serialization (see COLLECTIONS-580).
+         */
+        private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
+            FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
+            is.defaultReadObject();
+        }
     }
 
 }

src/java/org/apache/commons/collections/functors/package.html

@@ -38,6 +38,8 @@
   <li>InstantiateFactory</li>
   <li>InstantiateTransformer</li>
   <li>InvokerTransformer</li>
+  <li>PrototypeFactory$PrototypeCloneFactory</li>
+  <li>PrototypeFactory$PrototypeSerializationFactory</li>
   <li>WhileClosure</li>
 </ul>
 <p>

src/test/org/apache/commons/collections/functors/TestAll.java

@@ -36,6 +36,7 @@ public static Test suite() {
         suite.addTest(TestInstantiateTransformer.suite());
         suite.addTest(TestInstantiateFactory.suite());
         suite.addTest(TestInvokerTransformer.suite());
+        suite.addTest(TestPrototypeFactory.suite());
         suite.addTest(TestWhileClosure.suite());
         return suite;
     }

src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java

@@ -0,0 +1,49 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.commons.collections.functors;
+
+import java.util.ArrayList;
+
+import org.apache.commons.collections.Factory;
+
+import junit.framework.Test;
+import junit.framework.TestSuite;
+
+public class TestPrototypeFactory extends AbstractTestSerialization {
+
+    // conventional
+    // ------------------------------------------------------------------------
+
+    public TestPrototypeFactory(String testName) {
+        super(testName);
+    }
+
+    public static Test suite() {
+        return new TestSuite(TestPrototypeFactory.class);
+    }
+
+    // ------------------------------------------------------------------------
+
+    public Object makeObject() {
+        return PrototypeFactory.getInstance(new ArrayList());
+    }
+
+    public Class getTestClass() {
+        return Factory.class;
+    }
+
+}