microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
CBL-Mariner/SPECS-EXTENDED/xmlrpc/0006-Fix-for-CVE-2019-17570...

53 строки
2.0 KiB
Diff
Исходник Ответственный История

From 1594395df534d60133d98884c9d9f5eb92d0652e Mon Sep 17 00:00:00 2001
From: Mat Booth <mat.booth@redhat.com>
Date: Wed, 1 Apr 2020 10:21:03 +0100
Subject: [PATCH 6/6] Fix for CVE-2019-17570
Deserialization of server-side exception from faultCause in XMLRPC error response
---
.../xmlrpc/parser/XmlRpcResponseParser.java | 28 ++++++++++---------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
index 087572b..f1b2427 100644
--- a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
+++ b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
@@ -69,19 +69,21 @@ public class XmlRpcResponseParser extends RecursiveTypeParserImpl {
getDocumentLocator());
}
errorMessage = (String) map.get("faultString");
- Object exception = map.get("faultCause");
- if (exception != null) {
- try {
- byte[] bytes = (byte[]) exception;
- ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
- ObjectInputStream ois = new ObjectInputStream(bais);
- errorCause = (Throwable) ois.readObject();
- ois.close();
- bais.close();
- } catch (Throwable t) {
- // Ignore me
- }
- }
+ if (((XmlRpcStreamRequestConfig)cfg).isEnabledForExceptions()) {
+ Object exception = map.get("faultCause");
+ if (exception != null) {
+ try {
+ byte[] bytes = (byte[]) exception;
+ ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
+ ObjectInputStream ois = new ObjectInputStream(bais);
+ errorCause = (Throwable) ois.readObject();
+ ois.close();
+ bais.close();
+ } catch (Throwable t) {
+ // Ignore me
+ }
+ }
+ }
}
}
--
2.26.0.rc2
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку