You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dubbo.apache.org by li...@apache.org on 2020/07/03 08:54:02 UTC
[dubbo] branch master updated: Hessian2 whitelist (#6378)
This is an automated email from the ASF dual-hosted git repository.
liujun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo.git
The following commit(s) were added to refs/heads/master by this push:
new 11e728c Hessian2 whitelist (#6378)
11e728c is described below
commit 11e728c084b591d0c11267e0729805eeeb59bd73
Author: ken.lj <ke...@gmail.com>
AuthorDate: Fri Jul 3 16:53:51 2020 +0800
Hessian2 whitelist (#6378)
fixes #6364
---
dubbo-dependencies-bom/pom.xml | 2 +-
.../hessian2/Hessian2SerializerFactory.java | 29 +++++++++++++++++++++-
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/dubbo-dependencies-bom/pom.xml b/dubbo-dependencies-bom/pom.xml
index eae1bc8..c2426e2 100644
--- a/dubbo-dependencies-bom/pom.xml
+++ b/dubbo-dependencies-bom/pom.xml
@@ -152,7 +152,7 @@
<activation_version>1.2.0</activation_version>
<test_container_version>1.11.2</test_container_version>
<etcd_launcher_version>0.3.0</etcd_launcher_version>
- <hessian_lite_version>3.2.7</hessian_lite_version>
+ <hessian_lite_version>3.2.8</hessian_lite_version>
<swagger_version>1.5.19</swagger_version>
<spring_test_version>4.3.16.RELEASE</spring_test_version>
diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
index a5c5a90..d0ff3a7 100644
--- a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
+++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
@@ -16,11 +16,38 @@
*/
package org.apache.dubbo.common.serialize.hessian2;
+import org.apache.dubbo.common.config.ConfigurationUtils;
+import org.apache.dubbo.common.utils.StringUtils;
+
import com.alibaba.com.caucho.hessian.io.SerializerFactory;
public class Hessian2SerializerFactory extends SerializerFactory {
+ private static final String WHITELIST = "dubbo.application.hessian2.whitelist";
+ private static final String ALLOW = "dubbo.application.hessian2.allow";
+ private static final String DENY = "dubbo.application.hessian2.deny";
+
+ public static final SerializerFactory SERIALIZER_FACTORY;
- public static final SerializerFactory SERIALIZER_FACTORY = new Hessian2SerializerFactory();
+ /**
+ * see https://github.com/ebourg/hessian/commit/cf851f5131707891e723f7f6a9718c2461aed826
+ */
+ static {
+ SERIALIZER_FACTORY = new Hessian2SerializerFactory();
+ String whiteList = ConfigurationUtils.getProperty(WHITELIST);
+ if ("true".equals(whiteList)) {
+ SERIALIZER_FACTORY.getClassFactory().setWhitelist(true);
+ String allowPattern = ConfigurationUtils.getProperty(ALLOW);
+ if (StringUtils.isNotEmpty(allowPattern)) {
+ SERIALIZER_FACTORY.getClassFactory().allow(allowPattern);
+ }
+ } else {
+ SERIALIZER_FACTORY.getClassFactory().setWhitelist(false);
+ String denyPattern = ConfigurationUtils.getProperty(DENY);
+ if (StringUtils.isNotEmpty(denyPattern)) {
+ SERIALIZER_FACTORY.getClassFactory().deny(denyPattern);
+ }
+ }
+ }
private Hessian2SerializerFactory() {
}