You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@unomi.apache.org by sh...@apache.org on 2020/11/18 13:58:52 UTC
[unomi] 01/02: UNOMI-401 Fix missing base class in
SecureFilteringClassLoader (#219)
This is an automated email from the ASF dual-hosted git repository.
shuber pushed a commit to branch unomi-1.5.x
in repository https://gitbox.apache.org/repos/asf/unomi.git
commit 7cf12c42644e1e8695136ca69288033b357d19ba
Author: Serge Huber <sh...@jahia.com>
AuthorDate: Wed Nov 18 09:39:43 2020 +0100
UNOMI-401 Fix missing base class in SecureFilteringClassLoader (#219)
(cherry picked from commit 0d073658f454ff19e127c902d699fe51ffe8037d)
---
package/src/main/resources/etc/custom.system.properties | 2 +-
.../java/org/apache/unomi/scripting/SecureFilteringClassLoader.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/src/main/resources/etc/custom.system.properties b/package/src/main/resources/etc/custom.system.properties
index acca87b..4618ac0 100644
--- a/package/src/main/resources/etc/custom.system.properties
+++ b/package/src/main/resources/etc/custom.system.properties
@@ -33,7 +33,7 @@ org.apache.unomi.hazelcast.network.port=${env:UNOMI_HAZELCAST_NETWORK_PORT:-5701
org.apache.unomi.security.root.password=${env:UNOMI_ROOT_PASSWORD:-karaf}
# These parameters control the list of classes that are allowed or forbidden when executing expressions.
-org.apache.unomi.scripting.allow=${env:UNOMI_ALLOW_SCRIPTING_CLASSES:-org.apache.unomi.api.Event,org.apache.unomi.api.Profile,org.apache.unomi.api.Session,org.apache.unomi.api.Item,org.apache.unomi.api.CustomItem,ognl.*,java.lang.Object,java.util.Map,java.util.HashMap,java.lang.Integer,org.mvel2.*}
+org.apache.unomi.scripting.allow=${env:UNOMI_ALLOW_SCRIPTING_CLASSES:-org.apache.unomi.api.Event,org.apache.unomi.api.Profile,org.apache.unomi.api.Session,org.apache.unomi.api.Item,org.apache.unomi.api.CustomItem,ognl.*,java.lang.Object,java.util.Map,java.util.HashMap,java.lang.Integer,org.mvel2.*,java.lang.String}
org.apache.unomi.scripting.forbid=${env:UNOMI_FORBID_SCRIPTING_CLASSES:-}
# This parameter controls the whole expression filtering system. It is not recommended to turn it off. The main reason
diff --git a/scripting/src/main/java/org/apache/unomi/scripting/SecureFilteringClassLoader.java b/scripting/src/main/java/org/apache/unomi/scripting/SecureFilteringClassLoader.java
index 028d637..4af57e1 100644
--- a/scripting/src/main/java/org/apache/unomi/scripting/SecureFilteringClassLoader.java
+++ b/scripting/src/main/java/org/apache/unomi/scripting/SecureFilteringClassLoader.java
@@ -34,7 +34,7 @@ public class SecureFilteringClassLoader extends ClassLoader {
static {
String systemAllowedClasses = System.getProperty("org.apache.unomi.scripting.allow",
- "org.apache.unomi.api.Event,org.apache.unomi.api.Profile,org.apache.unomi.api.Session,org.apache.unomi.api.Item,org.apache.unomi.api.CustomItem,ognl.*,java.lang.Object,java.util.Map,java.util.HashMap,java.lang.Integer,org.mvel2.*");
+ "org.apache.unomi.api.Event,org.apache.unomi.api.Profile,org.apache.unomi.api.Session,org.apache.unomi.api.Item,org.apache.unomi.api.CustomItem,ognl.*,java.lang.Object,java.util.Map,java.util.HashMap,java.lang.Integer,org.mvel2.*,java.lang.String");
if (systemAllowedClasses != null) {
if ("all".equals(systemAllowedClasses.trim())) {
defaultAllowedClasses = null;