Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-10837

Improve ObjectInputStream class (CVE-2019-0189)

Attach filesAttach ScreenshotVotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Implemented
    • Release Branch 16.11, Release Branch 18.12, Release Branch 17.12
    • 16.11.06, 17.12.01, 18.12.01
    • framework
    • None
    • Bug Crush Event - 21/2/2015

    Description

      As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1], a code smell in Findbugs[2]) when extending to use the same name than the extended Object.[3]

      [1] https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false
      [2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html
      [3] Bug: The class name org.apache.ofbiz.base.util.ObjectInputStream shadows the simple name of the superclass java.io.ObjectInputStream

      This class has a simple name that is identical to that of its superclass, except that its superclass is in a different package (e.g., alpha.Foo extends beta.Foo). This can be exceptionally confusing, create lots of situations in which you have to look at import statements to resolve references and creates many opportunities to accidentally define methods that do not override methods in their superclasses.

      Rank: Troubling (14), confidence: High
      Pattern: NM_SAME_SIMPLE_NAME_AS_SUPERCLASS
      Type: Nm, Category: BAD_PRACTICE (Bad practice)

      2019/09/12: Initiallty this description was intentionnaly done to somehow hide a security issue (CVE-2019-0189) while allowing to fix the bug.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            jleroux Jacques Le Roux
            jleroux Jacques Le Roux
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Agile

                Completed Sprint:
                Bug Crush Event - 21/2/2015 ended 26/Feb/15
                View on Board

                Slack

                  Issue deployment