From e5d73758e2bba33525733d99895489fd30affbd9 Mon Sep 17 00:00:00 2001 From: Andrew Purtell Date: Tue, 17 Nov 2015 12:38:55 -0800 Subject: [PATCH] HBASE-14799 Commons-collections object deserialization remote command execution vulnerability --- .../java/org/apache/hadoop/hbase/util/Base64.java | 126 --------------------- pom.xml | 3 +- 2 files changed, 2 insertions(+), 127 deletions(-) diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/util/Base64.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/util/Base64.java index a22133d..1c771ce 100644 --- a/hbase-common/src/main/java/org/apache/hadoop/hbase/util/Base64.java +++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/util/Base64.java @@ -30,10 +30,7 @@ import java.io.FilterInputStream; import java.io.FilterOutputStream; import java.io.IOException; import java.io.InputStream; -import java.io.ObjectInputStream; -import java.io.ObjectOutputStream; import java.io.OutputStream; -import java.io.Serializable; import java.io.UnsupportedEncodingException; import java.util.zip.GZIPInputStream; import java.util.zip.GZIPOutputStream; @@ -515,92 +512,6 @@ public class Base64 { } // end encode3to4 /** - * Serializes an object and returns the Base64-encoded version of that - * serialized object. If the object cannot be serialized or there is another - * error, the method will return null. The object is not - * GZip-compressed before being encoded. - * - * @param serializableObject The object to encode - * @return The Base64-encoded object - * @since 1.4 - */ - public static String encodeObject(Serializable serializableObject) { - return encodeObject(serializableObject, NO_OPTIONS); - } // end encodeObject - - /** - * Serializes an object and returns the Base64-encoded version of that - * serialized object. If the object cannot be serialized or there is another - * error, the method will return null. - *

- * Valid options: - *

- *

- * Example: encodeObject( myObj, Base64.GZIP ) or - *

- * Example: - * encodeObject( myObj, Base64.GZIP | Base64.DONT_BREAK_LINES ) - * - * @param serializableObject The object to encode - * @param options Specified options - * @see Base64#GZIP - * @see Base64#DONT_BREAK_LINES - * @return The Base64-encoded object - * @since 2.0 - */ - @SuppressWarnings({"ConstantConditions"}) - public static String encodeObject(Serializable serializableObject, - int options) { - - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - OutputStream b64os = null; - ObjectOutputStream oos = null; - try { - // ObjectOutputStream -> (GZIP) -> Base64 -> ByteArrayOutputStream - b64os = new Base64OutputStream(baos, ENCODE | options); - - oos = ((options & GZIP) == GZIP) ? - new ObjectOutputStream(new GZIPOutputStream(b64os)) : - new ObjectOutputStream(b64os); - - oos.writeObject(serializableObject); - return new String(baos.toByteArray(), PREFERRED_ENCODING); - - } catch (UnsupportedEncodingException uue) { - return new String(baos.toByteArray()); - - } catch (IOException e) { - LOG.error("error encoding object", e); - return null; - - } finally { - if (oos != null) { - try { - oos.close(); - } catch (Exception e) { - LOG.error("error closing ObjectOutputStream", e); - } - } - if (b64os != null) { - try { - b64os.close(); - } catch (Exception e) { - LOG.error("error closing Base64OutputStream", e); - } - } - try { - baos.close(); - } catch (Exception e) { - LOG.error("error closing ByteArrayOutputStream", e); - } - } // end finally - } // end encode - - /** * Encodes a byte array into Base64 notation. Does not GZip-compress data. * * @param source The data to convert @@ -978,43 +889,6 @@ public class Base64 { } // end decode /** - * Attempts to decode Base64 data and deserialize a Java Object within. - * Returns null if there was an error. - * - * @param encodedObject The Base64 data to decode - * @return The decoded and deserialized object - * @since 1.5 - */ - public static Object decodeToObject(String encodedObject) { - // Decode and gunzip if necessary - byte[] objBytes = decode(encodedObject); - - Object obj = null; - ObjectInputStream ois = null; - try { - ois = new ObjectInputStream(new ByteArrayInputStream(objBytes)); - obj = ois.readObject(); - - } catch (IOException e) { - LOG.error("error decoding object", e); - - } catch (ClassNotFoundException e) { - LOG.error("error decoding object", e); - - } finally { - if (ois != null) { - try { - ois.close(); - } catch (Exception e) { - LOG.error("error closing ObjectInputStream", e); - } - } - } // end finally - - return obj; - } // end decodeObject - - /** * Convenience method for encoding data to a file. * * @param dataToEncode byte array of data to encode in base64 form diff --git a/pom.xml b/pom.xml index cb01cea..bc31baf 100644 --- a/pom.xml +++ b/pom.xml @@ -1176,7 +1176,8 @@ 2.2 3.1 3.3.0 - 3.2.1 + + 3.2.2 3.1 2.2.0 12.0.1 -- 2.4.9 (Apple Git-60)