You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by an...@apache.org on 2015/12/03 04:07:47 UTC
tomee git commit: Use ObjectInputStreamFiltered
Repository: tomee
Updated Branches:
refs/heads/master e6dabe142 -> a7a915f36
Use ObjectInputStreamFiltered
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/a7a915f3
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/a7a915f3
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/a7a915f3
Branch: refs/heads/master
Commit: a7a915f369c825aad6f5086ef57bd9012f3163f7
Parents: e6dabe1
Author: AndyGee <an...@gmx.de>
Authored: Thu Dec 3 04:07:38 2015 +0100
Committer: AndyGee <an...@gmx.de>
Committed: Thu Dec 3 04:07:38 2015 +0100
----------------------------------------------------------------------
.../openejb/core/ObjectInputStreamFiltered.java | 39 ++++++++++++++++++++
.../openejb/core/managed/SimplePassivater.java | 3 +-
.../core/rmi/BlacklistClassResolver.java | 9 ++++-
.../logging/LoggingPreparedSqlStatement.java | 4 +-
.../java/org/apache/openejb/spi/Serializer.java | 39 +++++++++++++++-----
.../tck/cdi/tomee/embedded/BeansImpl.java | 15 ++++----
6 files changed, 88 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tomee/blob/a7a915f3/container/openejb-core/src/main/java/org/apache/openejb/core/ObjectInputStreamFiltered.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/ObjectInputStreamFiltered.java b/container/openejb-core/src/main/java/org/apache/openejb/core/ObjectInputStreamFiltered.java
new file mode 100644
index 0000000..8af39a6
--- /dev/null
+++ b/container/openejb-core/src/main/java/org/apache/openejb/core/ObjectInputStreamFiltered.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.openejb.core;
+
+import org.apache.openejb.core.rmi.BlacklistClassResolver;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+
+/**
+ * Ensures blacklisted classes cannot be loaded
+ */
+public class ObjectInputStreamFiltered extends ObjectInputStream {
+
+ public ObjectInputStreamFiltered(final InputStream in) throws IOException {
+ super(in);
+ }
+
+ @Override
+ protected Class resolveClass(final ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
+ return super.resolveClass(BlacklistClassResolver.DEFAULT.check(classDesc));
+ }
+}
http://git-wip-us.apache.org/repos/asf/tomee/blob/a7a915f3/container/openejb-core/src/main/java/org/apache/openejb/core/managed/SimplePassivater.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/managed/SimplePassivater.java b/container/openejb-core/src/main/java/org/apache/openejb/core/managed/SimplePassivater.java
index b0947ee..8360a16 100644
--- a/container/openejb-core/src/main/java/org/apache/openejb/core/managed/SimplePassivater.java
+++ b/container/openejb-core/src/main/java/org/apache/openejb/core/managed/SimplePassivater.java
@@ -19,6 +19,7 @@ package org.apache.openejb.core.managed;
import org.apache.openejb.SystemException;
import org.apache.openejb.core.EnvProps;
+import org.apache.openejb.core.ObjectInputStreamFiltered;
import org.apache.openejb.loader.IO;
import org.apache.openejb.loader.SystemInstance;
import org.apache.openejb.util.LogCategory;
@@ -107,7 +108,7 @@ public class SimplePassivater implements PassivationStrategy {
if (sessionFile.exists()) {
logger.info("Activating from file " + sessionFile);
- final ObjectInputStream ois = new ObjectInputStream(IO.read(sessionFile));
+ final ObjectInputStream ois = new ObjectInputStreamFiltered(IO.read(sessionFile));
final Object state = ois.readObject();
ois.close();
if (!sessionFile.delete()) {
http://git-wip-us.apache.org/repos/asf/tomee/blob/a7a915f3/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
index 4ca5299..0d3b994 100644
--- a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
+++ b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
@@ -16,6 +16,8 @@
*/
package org.apache.openejb.core.rmi;
+import java.io.ObjectStreamClass;
+
public class BlacklistClassResolver {
public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver(
toArray(System.getProperty(
@@ -35,6 +37,11 @@ public class BlacklistClassResolver {
return (whitelist != null && !contains(whitelist, name)) || contains(blacklist, name);
}
+ public final ObjectStreamClass check(final ObjectStreamClass classDesc) {
+ check(classDesc.getName());
+ return classDesc;
+ }
+
public final String check(final String name) {
if (isBlacklisted(name)) {
throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
@@ -46,7 +53,7 @@ public class BlacklistClassResolver {
return property == null ? null : property.split(" *, *");
}
- private static boolean contains(final String[] list, String name) {
+ private static boolean contains(final String[] list, final String name) {
if (list != null) {
for (final String white : list) {
if (name.startsWith(white)) {
http://git-wip-us.apache.org/repos/asf/tomee/blob/a7a915f3/container/openejb-core/src/main/java/org/apache/openejb/resource/jdbc/logging/LoggingPreparedSqlStatement.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/resource/jdbc/logging/LoggingPreparedSqlStatement.java b/container/openejb-core/src/main/java/org/apache/openejb/resource/jdbc/logging/LoggingPreparedSqlStatement.java
index 242d6b8..9b78d3f 100644
--- a/container/openejb-core/src/main/java/org/apache/openejb/resource/jdbc/logging/LoggingPreparedSqlStatement.java
+++ b/container/openejb-core/src/main/java/org/apache/openejb/resource/jdbc/logging/LoggingPreparedSqlStatement.java
@@ -17,12 +17,12 @@
package org.apache.openejb.resource.jdbc.logging;
+import org.apache.openejb.core.ObjectInputStreamFiltered;
import org.apache.openejb.util.Join;
import org.apache.openejb.util.LogCategory;
import org.apache.openejb.util.Logger;
import java.io.ByteArrayInputStream;
-import java.io.ObjectInputStream;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.sql.ParameterMetaData;
@@ -88,7 +88,7 @@ public class LoggingPreparedSqlStatement implements InvocationHandler {
final ByteArrayInputStream bais = ByteArrayInputStream.class.cast(param.value);
try {
bais.reset(); // already read when arriving here - mainly openjpa case
- val = new ObjectInputStream(bais).readObject().toString();
+ val = new ObjectInputStreamFiltered(bais).readObject().toString();
} catch (final Exception e) {
val = param.value.toString();
}
http://git-wip-us.apache.org/repos/asf/tomee/blob/a7a915f3/container/openejb-core/src/main/java/org/apache/openejb/spi/Serializer.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/spi/Serializer.java b/container/openejb-core/src/main/java/org/apache/openejb/spi/Serializer.java
index 4e412bb..d176387 100644
--- a/container/openejb-core/src/main/java/org/apache/openejb/spi/Serializer.java
+++ b/container/openejb-core/src/main/java/org/apache/openejb/spi/Serializer.java
@@ -14,9 +14,10 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-
package org.apache.openejb.spi;
+import org.apache.openejb.core.ObjectInputStreamFiltered;
+
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
@@ -26,18 +27,36 @@ import java.io.ObjectOutputStream;
public class Serializer {
public static Object deserialize(final byte[] bytes)
- throws IOException, ClassNotFoundException {
- final ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
- final ObjectInputStream ois = new ObjectInputStream(bais);
- return ois.readObject();
+ throws IOException, ClassNotFoundException {
+
+ ObjectInputStream ois = null;
+
+ try {
+ final ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
+ ois = new ObjectInputStreamFiltered(bais);
+ return ois.readObject();
+ } finally {
+ if (ois != null) {
+ ois.close();
+ }
+ }
}
public static byte[] serialize(final Object object) throws IOException {
- final ByteArrayOutputStream baos = new ByteArrayOutputStream();
- final ObjectOutputStream oos = new ObjectOutputStream(baos);
- oos.writeObject(object);
- oos.flush();
- return baos.toByteArray();
+
+ ObjectOutputStream oos = null;
+
+ try {
+ final ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ oos = new ObjectOutputStream(baos);
+ oos.writeObject(object);
+ oos.flush();
+ return baos.toByteArray();
+ } finally {
+ if (oos != null) {
+ oos.close();
+ }
+ }
}
}
http://git-wip-us.apache.org/repos/asf/tomee/blob/a7a915f3/tck/cdi-tomee-embedded/src/main/java/org/apache/openejb/tck/cdi/tomee/embedded/BeansImpl.java
----------------------------------------------------------------------
diff --git a/tck/cdi-tomee-embedded/src/main/java/org/apache/openejb/tck/cdi/tomee/embedded/BeansImpl.java b/tck/cdi-tomee-embedded/src/main/java/org/apache/openejb/tck/cdi/tomee/embedded/BeansImpl.java
index a3d4a66..4b6b27c 100644
--- a/tck/cdi-tomee-embedded/src/main/java/org/apache/openejb/tck/cdi/tomee/embedded/BeansImpl.java
+++ b/tck/cdi-tomee-embedded/src/main/java/org/apache/openejb/tck/cdi/tomee/embedded/BeansImpl.java
@@ -16,6 +16,7 @@
*/
package org.apache.openejb.tck.cdi.tomee.embedded;
+import org.apache.openejb.core.ObjectInputStreamFiltered;
import org.apache.openejb.core.ivm.IntraVmCopyMonitor;
import org.apache.openejb.core.ivm.IntraVmProxy;
@@ -30,17 +31,17 @@ import java.io.ObjectOutputStream;
*/
public class BeansImpl implements org.jboss.jsr299.tck.spi.Beans {
- public boolean isProxy(Object instance) {
+ public boolean isProxy(final Object instance) {
System.out.println("isProxy: " + instance);
return instance instanceof IntraVmProxy || instance.getClass().getName().contains("$Owb");
}
@Override
- public byte[] serialize(Object instance) throws IOException {
+ public byte[] serialize(final Object instance) throws IOException {
IntraVmCopyMonitor.prePassivationOperation();
try {
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
- ObjectOutputStream os = new ObjectOutputStream(baos);
+ final ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ final ObjectOutputStream os = new ObjectOutputStream(baos);
os.writeObject(instance);
os.flush();
return baos.toByteArray();
@@ -50,9 +51,9 @@ public class BeansImpl implements org.jboss.jsr299.tck.spi.Beans {
}
@Override
- public Object deserialize(byte[] bytes) throws IOException, ClassNotFoundException {
- ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
- ObjectInputStream is = new ObjectInputStream(bais);
+ public Object deserialize(final byte[] bytes) throws IOException, ClassNotFoundException {
+ final ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
+ final ObjectInputStream is = new ObjectInputStreamFiltered(bais);
return is.readObject();
}
}