You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dubbo.apache.org by li...@apache.org on 2020/07/03 08:54:02 UTC

[dubbo] branch master updated: Hessian2 whitelist (#6378)

This is an automated email from the ASF dual-hosted git repository.

liujun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo.git


The following commit(s) were added to refs/heads/master by this push:
     new 11e728c  Hessian2 whitelist (#6378)
11e728c is described below

commit 11e728c084b591d0c11267e0729805eeeb59bd73
Author: ken.lj <ke...@gmail.com>
AuthorDate: Fri Jul 3 16:53:51 2020 +0800

    Hessian2 whitelist (#6378)
    
    fixes #6364
---
 dubbo-dependencies-bom/pom.xml                     |  2 +-
 .../hessian2/Hessian2SerializerFactory.java        | 29 +++++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/dubbo-dependencies-bom/pom.xml b/dubbo-dependencies-bom/pom.xml
index eae1bc8..c2426e2 100644
--- a/dubbo-dependencies-bom/pom.xml
+++ b/dubbo-dependencies-bom/pom.xml
@@ -152,7 +152,7 @@
         <activation_version>1.2.0</activation_version>
         <test_container_version>1.11.2</test_container_version>
         <etcd_launcher_version>0.3.0</etcd_launcher_version>
-        <hessian_lite_version>3.2.7</hessian_lite_version>
+        <hessian_lite_version>3.2.8</hessian_lite_version>
         <swagger_version>1.5.19</swagger_version>
         <spring_test_version>4.3.16.RELEASE</spring_test_version>
 
diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
index a5c5a90..d0ff3a7 100644
--- a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
+++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
@@ -16,11 +16,38 @@
  */
 package org.apache.dubbo.common.serialize.hessian2;
 
+import org.apache.dubbo.common.config.ConfigurationUtils;
+import org.apache.dubbo.common.utils.StringUtils;
+
 import com.alibaba.com.caucho.hessian.io.SerializerFactory;
 
 public class Hessian2SerializerFactory extends SerializerFactory {
+    private static final String WHITELIST = "dubbo.application.hessian2.whitelist";
+    private static final String ALLOW = "dubbo.application.hessian2.allow";
+    private static final String DENY = "dubbo.application.hessian2.deny";
+
+    public static final SerializerFactory SERIALIZER_FACTORY;
 
-    public static final SerializerFactory SERIALIZER_FACTORY = new Hessian2SerializerFactory();
+    /**
+     * see https://github.com/ebourg/hessian/commit/cf851f5131707891e723f7f6a9718c2461aed826
+     */
+    static {
+        SERIALIZER_FACTORY = new Hessian2SerializerFactory();
+        String whiteList = ConfigurationUtils.getProperty(WHITELIST);
+        if ("true".equals(whiteList)) {
+            SERIALIZER_FACTORY.getClassFactory().setWhitelist(true);
+            String allowPattern = ConfigurationUtils.getProperty(ALLOW);
+            if (StringUtils.isNotEmpty(allowPattern)) {
+                SERIALIZER_FACTORY.getClassFactory().allow(allowPattern);
+            }
+        } else {
+            SERIALIZER_FACTORY.getClassFactory().setWhitelist(false);
+            String denyPattern = ConfigurationUtils.getProperty(DENY);
+            if (StringUtils.isNotEmpty(denyPattern)) {
+                SERIALIZER_FACTORY.getClassFactory().deny(denyPattern);
+            }
+        }
+    }
 
     private Hessian2SerializerFactory() {
     }