From e45b8ebbbd7211012fcd1bf0622d4c64e65a7da0 Mon Sep 17 00:00:00 2001 From: Colin Alworth Date: Wed, 20 Dec 2023 07:26:05 -0600 Subject: [PATCH] Review feedback on message wording, fix whitespace char --- .../rebind/rpc/SerializableTypeOracleBuilder.java | 11 ++++++----- .../gwt/user/server/rpc/RemoteServiceServlet.java | 10 +++++----- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/user/src/com/google/gwt/user/rebind/rpc/SerializableTypeOracleBuilder.java b/user/src/com/google/gwt/user/rebind/rpc/SerializableTypeOracleBuilder.java index 629b40d3f9..668e6dc3ea 100644 --- a/user/src/com/google/gwt/user/rebind/rpc/SerializableTypeOracleBuilder.java +++ b/user/src/com/google/gwt/user/rebind/rpc/SerializableTypeOracleBuilder.java @@ -320,7 +320,7 @@ public boolean isAllowed(JClassType type) { JPA_ENTITY_ANNOTATION = Class.forName("javax.persistence.Entity").asSubclass(Annotation.class); } catch (ClassNotFoundException e) { - // Ignore, JPA_ENTITY_CAPABLE_ANNOTATION will be null + // Ignore, JPA_ENTITY_CAPABLE_ANNOTATION will be null } } @@ -869,10 +869,11 @@ public SerializableTypeOracle build(TreeLogger logger) throws UnableToCompleteEx if (tic.maybeEnhanced() || (enhancedClasses != null && enhancedClasses.contains(type.getQualifiedSourceName()))) { - logger.log(TreeLogger.WARN, "The class " + type.getQualifiedSourceName() + " is both " + - "referenced from configuration as rpc.enhancedClasses and has JPA annotations. " + - "This makes the server vulnerable to an issue with deserialization of unsafe " + - "data. See https://github.com/gwtproject/gwt/issues/9709 for more information."); + logger.log(TreeLogger.WARN, "The class " + type.getQualifiedSourceName() + " has JPA " + + "annotations or is explicitly configured as an enhanced class using the " + + "configuration property rpc.enhancedClasses. This makes the server vulnerable " + + "to an issue with deserialization of unsafe data. See " + + "https://github.com/gwtproject/gwt/issues/9709 for more information."); type.setEnhanced(); } } diff --git a/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java b/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java index f243a5e23d..1bd73e142e 100644 --- a/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java +++ b/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java @@ -98,12 +98,12 @@ static SerializationPolicy loadSerializationPolicy(HttpServlet servlet, null); if (serializationPolicy.hasClientFields()) { if (ENABLE_ENHANCED_CLASSES) { - servlet.log("WARNING: Enhanced JPA client fields are in use for this " + - "application. See https://github.com/gwtproject/gwt/issues/9709 for " + - "more detail. on the vulnerability that this presents."); + servlet.log("WARNING: Service deserializes enhanced JPA/JDO classes, which is " + + "unsafe. See https://github.com/gwtproject/gwt/issues/9709 for more " + + "detail on the vulnerability that this presents."); } else { - servlet.log("ERROR: Service uses enhanced classes, which are unsafe. Review " + - "build logs to see where this can be fixed, or set " + + servlet.log("ERROR: Service deserializes enhanced JPA/JDO classes, which is " + + "unsafe. Review build logs to see which classes are affected, or set " + ENABLE_GWT_ENHANCED_CLASSES_PROPERTY + " to true to allow using this " + "service. See https://github.com/gwtproject/gwt/issues/9709 for more " + "detail.");