slf4j/slf4j-Disallow-EventData-deserialization-by-default.patch

Index: slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
===================================================================
--- slf4j-1.7.12.orig/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+++ slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
@@ -76,12 +76,21 @@ public class EventData implements Serial
      */
     @SuppressWarnings("unchecked")
     public EventData(String xml) {
-        ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
-        try {
-            XMLDecoder decoder = new XMLDecoder(bais);
-            this.eventData = (Map<String, Object>) decoder.readObject();
-        } catch (Exception e) {
-            throw new EventException("Error decoding " + xml, e);
+	if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
+	    ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+	    try {
+		XMLDecoder decoder = new XMLDecoder(bais);
+		this.eventData = (Map<String, Object>) decoder.readObject();
+	    } catch (Exception e) {
+		throw new EventException("Error decoding " + xml, e);
+	    }
+	} else {
+	    throw new UnsupportedOperationException(
+		    "Constructing EventData from XML is vulnerable to remote " +
+                    "excution and is not allowed by default. If you're " +
+                    "completely sure the source data is trusted, you can enable " +
+                    "it by setting org.slf4j.ext.allowInsecureDeserialization " +
+                    "JVM property to 1");
         }
     }
 
@@ -302,4 +311,4 @@ public class EventData implements Serial
     public int hashCode() {
         return this.eventData.hashCode();
     }
-}
\ No newline at end of file
+}
Accepting request 610257 from home:pmonrealgonzalez:branches:Java:packages - Security fix: [bsc#1085970, CVE-2018-8088] * Disallow EventData deserialization by default * Added slf4j-Disallow-EventData-deserialization-by-default.patch refreshed from Fedora [ https://src.fedoraproject.org/rpms/slf4j/ blob/d7cd96bc7a8e8d8d62c8bc62baa7df02cef56c63/f/ 0001-Disallow-EventData-deserialization-by-default.patch ] OBS-URL: https://build.opensuse.org/request/show/610257 OBS-URL: https://build.opensuse.org/package/show/Java:packages/slf4j?expand=0&rev=30 2018-05-18 09:30:58 +00:00			`Index: slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java`
			`===================================================================`
			`--- slf4j-1.7.12.orig/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java`
			`+++ slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java`
			`@@ -76,12 +76,21 @@ public class EventData implements Serial`
			`*/`
			`@SuppressWarnings("unchecked")`
			`public EventData(String xml) {`
			`- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());`
			`- try {`
			`- XMLDecoder decoder = new XMLDecoder(bais);`
			`- this.eventData = (Map<String, Object>) decoder.readObject();`
			`- } catch (Exception e) {`
			`- throw new EventException("Error decoding " + xml, e);`
			`+ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {`
			`+ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());`
			`+ try {`
			`+ XMLDecoder decoder = new XMLDecoder(bais);`
			`+ this.eventData = (Map<String, Object>) decoder.readObject();`
			`+ } catch (Exception e) {`
			`+ throw new EventException("Error decoding " + xml, e);`
			`+ }`
			`+ } else {`
			`+ throw new UnsupportedOperationException(`
			`+ "Constructing EventData from XML is vulnerable to remote " +`
			`+ "excution and is not allowed by default. If you're " +`
			`+ "completely sure the source data is trusted, you can enable " +`
			`+ "it by setting org.slf4j.ext.allowInsecureDeserialization " +`
			`+ "JVM property to 1");`
			`}`
			`}`

			`@@ -302,4 +311,4 @@ public class EventData implements Serial`
			`public int hashCode() {`
			`return this.eventData.hashCode();`
			`}`
			`-}`
			`\ No newline at end of file`
			`+}`