[OFBIZ-10837] Improve ObjectInputStream class (CVE-2019-0189) - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Implemented
Affects Version/s: Release Branch 16.11, Release Branch 18.12, Release Branch 17.12
Fix Version/s: 16.11.06, 17.12.01, 18.12.01
Component/s: framework
Labels:
None

Sprint:
Bug Crush Event - 21/2/2015

Description

As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1], a code smell in Findbugs[2]) when extending to use the same name than the extended Object.[3]

[1] https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false
[2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html
[3] Bug: The class name org.apache.ofbiz.base.util.ObjectInputStream shadows the simple name of the superclass java.io.ObjectInputStream

This class has a simple name that is identical to that of its superclass, except that its superclass is in a different package (e.g., alpha.Foo extends beta.Foo). This can be exceptionally confusing, create lots of situations in which you have to look at import statements to resolve references and creates many opportunities to accidentally define methods that do not override methods in their superclasses.

Rank: Troubling (14), confidence: High
Pattern: NM_SAME_SIMPLE_NAME_AS_SUPERCLASS
Type: Nm, Category: BAD_PRACTICE (Bad practice)

2019/09/12: Initiallty this description was intentionnaly done to somehow hide a security issue (CVE-2019-0189) while allowing to fix the bug.