"Applied fix from trunk framework for revision: 1869001"

------------------------------------------------------------------------
r1869001 | mthl | 2019-10-26 16:42:02 +0200 (sam. 26 oct. 2019) | 9 lignes

Fixed: Handle whitelist of serializable classes from properties
(OFBIZ-11261)

There was a bug regarding the way the ‘ListOfSafeObjectsForInputStream’ value
defined in the “SafeObjectInputStream.properties” file was handled.  Mistakenly
only one class identifier was allowed.

Some unit tests have been added to check that the identified bug is fixed.

------------------------------------------------------------------------
�

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1869033 13f79535-47bb-0310-9956-ffa450edef68

framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

@@ -24,10 +24,11 @@
 import java.io.IOException;
 import java.io.ObjectOutputStream;
 import java.io.InputStream;
+import java.util.Arrays;
 import java.util.Iterator;
 import java.util.List;
 import java.util.ServiceLoader;
-import java.lang.Class;
+import java.util.stream.Collectors;
 
 import org.apache.ofbiz.base.lang.Factory;
 import org.apache.ofbiz.base.lang.SourceMonitored;
@@ -109,7 +110,10 @@ public static Object getObjectException(byte[] bytes) throws ClassNotFoundExcept
                 "ListOfSafeObjectsForInputStream");
         List<String> listOfSafeObjects = null;
         if (UtilValidate.isNotEmpty(listOfSafeObjectsForInputStream)) {
-            listOfSafeObjects = java.util.Arrays.asList(listOfSafeObjectsForInputStream);
+            listOfSafeObjects = Arrays.stream(listOfSafeObjectsForInputStream.split(","))
+                    .map(String::trim)
+                    .filter(s -> !s.isEmpty())
+                    .collect(Collectors.toList());
         } else {
             listOfSafeObjects = java.util.Arrays.asList("byte\\[\\]", "foo", "SerializationInjector",
                     "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C",