You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openjpa.apache.org by rm...@apache.org on 2015/11/27 13:15:48 UTC
svn commit: r1716859 - in /openjpa/trunk:
openjpa-kernel/src/main/java/org/apache/openjpa/util/
openjpa-persistence/src/main/java/org/apache/openjpa/persistence/
Author: rmannibucau
Date: Fri Nov 27 12:15:47 2015
New Revision: 1716859
URL: http://svn.apache.org/viewvc?rev=1716859&view=rev
Log:
OPENJPA-2617 adding BlacklistClassResolver to support blacklisting of class loading in our ObjectInputStream
Added:
openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java
Modified:
openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java
openjpa/trunk/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java
Added: openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java
URL: http://svn.apache.org/viewvc/openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java?rev=1716859&view=auto
==============================================================================
--- openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java (added)
+++ openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java Fri Nov 27 12:15:47 2015
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.openjpa.util;
+
+public class BlacklistClassResolver {
+ public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver(
+ toArray(
+ System.getProperty(
+ "openjpa.serialization.class.blacklist",
+ "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan")),
+ toArray(System.getProperty("openjpa.serialization.class.whitelist")));
+
+ private final String[] blacklist;
+ private final String[] whitelist;
+
+ protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) {
+ this.whitelist = whitelist;
+ this.blacklist = blacklist;
+ }
+
+ protected boolean isBlacklisted(final String name) {
+ return !contains(whitelist, name) && contains(blacklist, name);
+ }
+
+ public final String check(final String name) {
+ if (isBlacklisted(name)) {
+ throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ }
+ return name;
+ }
+
+ private static String[] toArray(final String property) {
+ return property == null ? null : property.split(" *, *");
+ }
+
+ private static boolean contains(final String[] list, String name) {
+ if (list != null) {
+ for (final String white : list) {
+ if (name.startsWith(white)) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+}
Modified: openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java
URL: http://svn.apache.org/viewvc/openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java?rev=1716859&r1=1716858&r2=1716859&view=diff
==============================================================================
--- openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java (original)
+++ openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java Fri Nov 27 12:15:47 2015
@@ -128,12 +128,13 @@ public class Serialization {
protected Class resolveClass(ObjectStreamClass desc)
throws IOException, ClassNotFoundException {
+ String name = BlacklistClassResolver.DEFAULT.check(desc.getName());
MultiClassLoader loader = AccessController
.doPrivileged(J2DoPrivHelper.newMultiClassLoaderAction());
addContextClassLoaders(loader);
loader.addClassLoader(getClass().getClassLoader());
loader.addClassLoader(MultiClassLoader.SYSTEM_LOADER);
- return Class.forName(desc.getName(), true, loader);
+ return Class.forName(name, true, loader);
}
protected void addContextClassLoaders(MultiClassLoader loader) {
Modified: openjpa/trunk/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java
URL: http://svn.apache.org/viewvc/openjpa/trunk/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java?rev=1716859&r1=1716858&r2=1716859&view=diff
==============================================================================
--- openjpa/trunk/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java (original)
+++ openjpa/trunk/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java Fri Nov 27 12:15:47 2015
@@ -84,6 +84,7 @@ import org.apache.openjpa.persistence.cr
import org.apache.openjpa.persistence.criteria.OpenJPACriteriaBuilder;
import org.apache.openjpa.persistence.criteria.OpenJPACriteriaQuery;
import org.apache.openjpa.persistence.validation.ValidationUtils;
+import org.apache.openjpa.util.BlacklistClassResolver;
import org.apache.openjpa.util.ExceptionInfo;
import org.apache.openjpa.util.Exceptions;
import org.apache.openjpa.util.ImplHelper;
@@ -1543,7 +1544,7 @@ public class EntityManagerImpl
protected Class<?> resolveClass(ObjectStreamClass classDesc)
throws IOException, ClassNotFoundException {
- String cname = classDesc.getName();
+ String cname = BlacklistClassResolver.DEFAULT.check(classDesc.getName());
if (cname.startsWith("[")) {
// An array
Class<?> component; // component class