From 1594395df534d60133d98884c9d9f5eb92d0652e Mon Sep 17 00:00:00 2001
From: Mat Booth <mat.booth@redhat.com>
Date: Wed, 1 Apr 2020 10:21:03 +0100
Subject: [PATCH 6/6] Fix for CVE-2019-17570

Deserialization of server-side exception from faultCause in XMLRPC error response
---
 .../xmlrpc/parser/XmlRpcResponseParser.java   | 28 ++++++++++---------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
index 087572b..f1b2427 100644
--- a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
+++ b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
@@ -69,19 +69,21 @@ public class XmlRpcResponseParser extends RecursiveTypeParserImpl {
 											getDocumentLocator());
 			}
 			errorMessage = (String) map.get("faultString");
-            Object exception = map.get("faultCause");
-            if (exception != null) {
-                try {
-                    byte[] bytes = (byte[]) exception;
-                    ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
-                    ObjectInputStream ois = new ObjectInputStream(bais);
-                    errorCause = (Throwable) ois.readObject();
-                    ois.close();
-                    bais.close();
-                } catch (Throwable t) {
-                    // Ignore me
-                }
-            }
+			if (((XmlRpcStreamRequestConfig)cfg).isEnabledForExceptions()) {
+				Object exception = map.get("faultCause");
+				if (exception != null) {
+					try {
+						byte[] bytes = (byte[]) exception;
+						ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
+						ObjectInputStream ois = new ObjectInputStream(bais);
+						errorCause = (Throwable) ois.readObject();
+						ois.close();
+						bais.close();
+					} catch (Throwable t) {
+						// Ignore me
+					}
+				}
+			}
 		}
 	}
 
-- 
2.26.0.rc2