首页java › JAVA JBOSS 序列化和反序列化漏洞修复

JAVA JBOSS 序列化和反序列化漏洞修复

lidasheng 2016年3月17日 java 发表评论 (0)

修改commons-collections-3.2.1.jar中的InvokerTransformer 类为如下,重打jar包覆盖即可

package org.apache.commons.collections.functors;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedAction;

import org.apache.commons.collections.FunctorException;
import org.apache.commons.collections.Transformer;

public class InvokerTransformer implements Transformer, Serializable {

private static final long serialVersionUID = -8653385846894047688L;

public final static String DESERIALIZE = “org.apache.commons.collections.invokertransformer.enableDeserialization”;

private final String iMethodName;
private final Class[] iParamTypes;
private final Object[] iArgs;

public static Transformer getInstance(String methodName) {
if (methodName == null) {
throw new IllegalArgumentException(
“The method to invoke must not be null”);
}
return new InvokerTransformer(methodName);
}

public static Transformer getInstance(String methodName,
Class[] paramTypes, Object[] args) {
if (methodName == null) {
throw new IllegalArgumentException(
“The method to invoke must not be null”);
}
if (((paramTypes == null) && (args != null))
|| ((paramTypes != null) && (args == null))
|| ((paramTypes != null) && (args != null) && (paramTypes.length != args.length))) {
throw new IllegalArgumentException(
“The parameter types must match the arguments”);
}
if (paramTypes == null || paramTypes.length == 0) {
return new InvokerTransformer(methodName);
} else {
paramTypes = (Class[]) paramTypes.clone();
args = (Object[]) args.clone();
return new InvokerTransformer(methodName, paramTypes, args);
}
}

private InvokerTransformer(String methodName) {
super();
iMethodName = methodName;
iParamTypes = null;
iArgs = null;
}

public InvokerTransformer(String methodName, Class[] paramTypes,
Object[] args) {
super();
iMethodName = methodName;
iParamTypes = paramTypes;
iArgs = args;
}

public Object transform(Object input) {
if (input == null) {
return null;
}
try {
Class cls = input.getClass();
Method method = cls.getMethod(iMethodName, iParamTypes);
return method.invoke(input, iArgs);

} catch (NoSuchMethodException ex) {
throw new FunctorException(“InvokerTransformer: The method ‘”
+ iMethodName + “‘ on ‘” + input.getClass()
+ “‘ does not exist”);
} catch (IllegalAccessException ex) {
throw new FunctorException(“InvokerTransformer: The method ‘”
+ iMethodName + “‘ on ‘” + input.getClass()
+ “‘ cannot be accessed”);
} catch (InvocationTargetException ex) {
throw new FunctorException(“InvokerTransformer: The method ‘”
+ iMethodName + “‘ on ‘” + input.getClass()
+ “‘ threw an exception”, ex);
}
}

private void readObject(ObjectInputStream is)
throws ClassNotFoundException, IOException {
String deserializeProperty;

try {
deserializeProperty = (String) AccessController
.doPrivileged(new PrivilegedAction() {
public Object run() {
return System.getProperty(DESERIALIZE);
}
});
} catch (SecurityException ex) {
deserializeProperty = null;
}

if (deserializeProperty == null
|| !deserializeProperty.equalsIgnoreCase(“true”)) {
throw new UnsupportedOperationException(
“Deserialization of InvokerTransformer is disabled, “);
}

is.defaultReadObject();
}
}

|

发表评论

注意 - 你可以用以下 HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>