(ofbiz-framework) branch trunk updated: Fixed: Deserializing ModelPermission.java throws an error (OFBIZ-13423) (#1261)

Fri, 29 May 2026 03:04:30 -0700 

This is an automated email from the ASF dual-hosted git repository.

mridulpathak pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new a794822d58 Fixed: Deserializing ModelPermission.java throws an error 
(OFBIZ-13423) (#1261)
a794822d58 is described below

commit a794822d58e36dba4eca497527c78ee4c16d4825
Author: Mridul Pathak <[email protected]>
AuthorDate: Fri May 29 15:33:37 2026 +0530

    Fixed: Deserializing ModelPermission.java throws an error (OFBIZ-13423) 
(#1261)
    
    Fixed: Deserializing ModelPermission.java throws an error
    (OFBIZ-13423)
    
    Updated DEFAULT_DENYLIST and SafeObjectInputStream.properties to target
    "java.rmi" and "sun.rmi" specifically.
---
 framework/base/config/SafeObjectInputStream.properties                  | 2 +-
 .../src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/framework/base/config/SafeObjectInputStream.properties 
b/framework/base/config/SafeObjectInputStream.properties
index 7f759b66f5..7b875ef13f 100644
--- a/framework/base/config/SafeObjectInputStream.properties
+++ b/framework/base/config/SafeObjectInputStream.properties
@@ -31,4 +31,4 @@ allowList=byte\\[\\], foo, SerializationInjector, 
\\[Z,\\[B,\\[S,\\[I,\\[J,\\[F,
 
 #-- List of strings rejected for serialisation
 #-- The same comments than for allowList apply to denyList
-denyList=rmi, <
+denyList=java.rmi, sun.rmi, <
diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index 9fe35b58f9..ee40f757df 100644
--- 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -70,7 +70,7 @@ public final class SafeObjectInputStream extends 
ObjectInputStream {
             "org\\.codehaus\\.groovy\\.runtime\\.GStringImpl",
             "groovy\\.lang\\.GString",
             "sun\\.util\\.calendar\\.ZoneInfo"};
-    private static final String[] DEFAULT_DENYLIST = {"rmi", "<"};
+    private static final String[] DEFAULT_DENYLIST = {"java.rmi", "sun.rmi", 
"<"};
 
     /** The regular expression used to match serialized types. */
     private final Pattern allowlistPattern;

Reply via email to