diff --git a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java index 5ba69ebd59..e28efb2354 100644 --- a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java +++ b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java @@ -49,6 +49,16 @@ public class PrototypeFactory { *
+ * WARNING: from v3.2.2 onwards this method will return a {@code Factory} + * that will throw an {@link UnsupportedOperationException} when trying to serialize + * or de-serialize it to prevent potential remote code execution exploits. + *
+ * In order to re-enable serialization support the following system property + * can be used (via -Dproperty=true): + *
+ * org.apache.commons.collections.enableUnsafeSerialization + ** * @param prototype the object to clone each time in the factory * @return the
prototype
factory
@@ -144,6 +154,24 @@ public Object create() {
throw new FunctorException("PrototypeCloneFactory: Clone method threw an exception", ex);
}
}
+
+ /**
+ * Overrides the default writeObject implementation to prevent
+ * serialization (see COLLECTIONS-580).
+ */
+ private void writeObject(ObjectOutputStream os) throws IOException {
+ FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
+ os.defaultWriteObject();
+ }
+
+ /**
+ * Overrides the default readObject implementation to prevent
+ * de-serialization (see COLLECTIONS-580).
+ */
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
+ FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
+ is.defaultReadObject();
+ }
}
// PrototypeSerializationFactory
@@ -204,6 +232,24 @@ public Object create() {
}
}
}
+
+ /**
+ * Overrides the default writeObject implementation to prevent
+ * serialization (see COLLECTIONS-580).
+ */
+ private void writeObject(ObjectOutputStream os) throws IOException {
+ FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
+ os.defaultWriteObject();
+ }
+
+ /**
+ * Overrides the default readObject implementation to prevent
+ * de-serialization (see COLLECTIONS-580).
+ */
+ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
+ FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
+ is.defaultReadObject();
+ }
}
}
diff --git a/src/java/org/apache/commons/collections/functors/package.html b/src/java/org/apache/commons/collections/functors/package.html
index d73ee62386..d678ddd9e1 100644
--- a/src/java/org/apache/commons/collections/functors/package.html
+++ b/src/java/org/apache/commons/collections/functors/package.html
@@ -38,6 +38,8 @@
diff --git a/src/test/org/apache/commons/collections/functors/TestAll.java b/src/test/org/apache/commons/collections/functors/TestAll.java index 5337628a41..14bcf7aead 100644 --- a/src/test/org/apache/commons/collections/functors/TestAll.java +++ b/src/test/org/apache/commons/collections/functors/TestAll.java @@ -36,6 +36,7 @@ public static Test suite() { suite.addTest(TestInstantiateTransformer.suite()); suite.addTest(TestInstantiateFactory.suite()); suite.addTest(TestInvokerTransformer.suite()); + suite.addTest(TestPrototypeFactory.suite()); suite.addTest(TestWhileClosure.suite()); return suite; } diff --git a/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java b/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java new file mode 100644 index 0000000000..1ac51e4a4d --- /dev/null +++ b/src/test/org/apache/commons/collections/functors/TestPrototypeFactory.java @@ -0,0 +1,49 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.commons.collections.functors; + +import java.util.ArrayList; + +import org.apache.commons.collections.Factory; + +import junit.framework.Test; +import junit.framework.TestSuite; + +public class TestPrototypeFactory extends AbstractTestSerialization { + + // conventional + // ------------------------------------------------------------------------ + + public TestPrototypeFactory(String testName) { + super(testName); + } + + public static Test suite() { + return new TestSuite(TestPrototypeFactory.class); + } + + // ------------------------------------------------------------------------ + + public Object makeObject() { + return PrototypeFactory.getInstance(new ArrayList()); + } + + public Class getTestClass() { + return Factory.class; + } + +}