diff --git a/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java b/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java index 744b3a9581..6e4461a77d 100644 --- a/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java +++ b/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java @@ -71,6 +71,9 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan private static final String TLS_SERVER_PROTOCOLS_PROPERTY = "ghidra.tls.server.protocols"; private static final String TLS_ENABLED_CIPHERS_PROPERTY = "jdk.tls.server.cipherSuites"; + private static final String SERIALIZATION_FILTER_DISABLED_PROPERTY = + "ghidra.server.serialization.filter.disabled"; + private static SslRMIServerSocketFactory serverSocketFactory; private static SslRMIClientSocketFactory clientSocketFactory; private static InetAddress bindAddress; @@ -208,7 +211,7 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan GhidraServer.server = this; - // Establish serialization filter to address deserialization vulnerabity concerns + // Establish serialization filter to address deserialization vulnerabity concerns. setGlobalSerializationFilter(); // Start block stream server - use RMI serverSocketFactory @@ -751,8 +754,8 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan if (ApplicationKeyManagerFactory.getPreferredKeyStore() == null) { // keystore has not been identified - use self-signed certificate - ApplicationKeyManagerFactory.setDefaultIdentity( - new X500Principal("CN=GhidraServer")); + ApplicationKeyManagerFactory + .setDefaultIdentity(new X500Principal("CN=GhidraServer")); ApplicationKeyManagerFactory.addSubjectAlternativeName(hostname); } if (!ApplicationKeyManagerFactory.initialize()) { @@ -797,7 +800,7 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan } log.info( " Anonymous server access: " + (allowAnonymousAccess ? "enabled" : "disabled")); - + String enabledCiphers = System.getProperty(TLS_ENABLED_CIPHERS_PROPERTY); if (enabledCiphers != null) { String[] cipherList = enabledCiphers.split(","); @@ -806,7 +809,7 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan log.info(" " + s); } } - + serverSocketFactory = new SslRMIServerSocketFactory(null, getEnabledTlsProtocols(), authMode == PKI_LOGIN) { @Override @@ -875,7 +878,13 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan } private static void setGlobalSerializationFilter() throws IOException { - + + // NOTE: Serialization filter may need to be disabled when profiling with VisualVM + String disabledStr = System.getProperty(SERIALIZATION_FILTER_DISABLED_PROPERTY); + if (Boolean.valueOf(disabledStr)) { + return; + } + ObjectInputFilter patternFilter = readSerialFilterPatternFile(); ObjectInputFilter filter = new ObjectInputFilter() { @@ -894,11 +903,10 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan return status; } - if (clazz == null) { return Status.ALLOWED; } - + Class componentType = clazz.getComponentType(); if (componentType != null && componentType.isPrimitive()) { return Status.ALLOWED; // allow all primitive arrays diff --git a/Ghidra/RuntimeScripts/Common/server/server.conf b/Ghidra/RuntimeScripts/Common/server/server.conf index 5b13f6ef2c..4750c102f1 100644 --- a/Ghidra/RuntimeScripts/Common/server/server.conf +++ b/Ghidra/RuntimeScripts/Common/server/server.conf @@ -64,7 +64,7 @@ wrapper.java.additional.11=-Ddb.buffers.DataBuffer.compressedOutput=true # Uncomment to enable remote debug support # The debug address will listen on all network interfaces, if desired the '*' may be # set to a specific interface IP address (e.g., 127.0.0.1) if you wish to restrict. -# During debug it may be necessary to increase timeout values to prevent the wrapper +# During debug it will be necessary to increase timeout values to prevent the wrapper # from restarting the server due to unresponsiveness. #wrapper.java.additional.12=-Xdebug #wrapper.java.additional.13=-Xnoagent @@ -76,14 +76,17 @@ wrapper.java.additional.11=-Ddb.buffers.DataBuffer.compressedOutput=true # Optional debug enablement instead of using the wrapper.java.additional arguments above # This will cause application to start in a suspended state in debug mode and increase # timeouts to their maximum values. -#wrapper.java.debug.port=18200 +wrapper.java.debug.port=18200 -# Uncomment to enable remote use of jvisualvm for profiling +# Uncomment to allow VisualVM Profiling to avoid "Rejected class serialization..." errors +#wrapper.java.additional.16=-Dghidra.server.serialization.filter.disabled=true + +# Uncomment to enable remote use of VisualVM for profiling # See JMX documentation for more information: http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html -#wrapper.java.additional.16=-Dcom.sun.management.jmxremote.port=9010 -#wrapper.java.additional.17=-Dcom.sun.management.jmxremote.local.only=false -#wrapper.java.additional.18=-Dcom.sun.management.jmxremote.authenticate=false -#wrapper.java.additional.19=-Dcom.sun.management.jmxremote.ssl=false +#wrapper.java.additional.17=-Dcom.sun.management.jmxremote.port=9010 +#wrapper.java.additional.18=-Dcom.sun.management.jmxremote.local.only=false +#wrapper.java.additional.19=-Dcom.sun.management.jmxremote.authenticate=false +#wrapper.java.additional.20=-Dcom.sun.management.jmxremote.ssl=false # YAJSW will by default assume a POSIX spawn for Linux and Mac OS X systems, unfortunately it has # not yet been implemented for Mac OS X. The default process support within YAJSW for Mac OS X is