You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@batchee.apache.org by rm...@apache.org on 2015/11/27 12:50:54 UTC
incubator-batchee git commit: BATCHEE-74 blacklisting
org.codehaus.groovy.runtime., org.apache.commons.collections.functors.,
org.apache.xalan in TCCLObjectInputStream
Repository: incubator-batchee
Updated Branches:
refs/heads/master 93e36df30 -> cfd133c30
BATCHEE-74 blacklisting org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan in TCCLObjectInputStream
Project: http://git-wip-us.apache.org/repos/asf/incubator-batchee/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-batchee/commit/cfd133c3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-batchee/tree/cfd133c3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-batchee/diff/cfd133c3
Branch: refs/heads/master
Commit: cfd133c309c21a82fb24cfcc9a7c2365aee4678a
Parents: 93e36df
Author: Romain Manni-Bucau <rm...@gmail.com>
Authored: Fri Nov 27 12:50:47 2015 +0100
Committer: Romain Manni-Bucau <rm...@gmail.com>
Committed: Fri Nov 27 12:50:47 2015 +0100
----------------------------------------------------------------------
.../container/util/TCCLObjectInputStream.java | 25 +++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-batchee/blob/cfd133c3/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
----------------------------------------------------------------------
diff --git a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
index b88bc6f..e93e7bc 100755
--- a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
+++ b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
@@ -23,6 +23,10 @@ import java.io.ObjectStreamClass;
import java.lang.reflect.Proxy;
public class TCCLObjectInputStream extends ObjectInputStream {
+ private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(System.getProperty(
+ "batchee.BlacklistClassResolver",
+ "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split(" *, *"));
+
private final ClassLoader tccl;
public TCCLObjectInputStream(final InputStream in) throws IOException {
@@ -32,7 +36,7 @@ public class TCCLObjectInputStream extends ObjectInputStream {
@Override
protected Class<?> resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException {
- return Class.forName(desc.getName(), false, tccl);
+ return Class.forName(BLACKLIST_CLASSES.check(desc.getName()), false, tccl);
}
@Override
@@ -48,4 +52,23 @@ public class TCCLObjectInputStream extends ObjectInputStream {
throw new ClassNotFoundException(null, e);
}
}
+
+ private static final class BlacklistClassResolver {
+ private final String[] blacklist;
+
+ protected BlacklistClassResolver(final String[] blacklist) {
+ this.blacklist = blacklist;
+ }
+
+ public final String check(final String name) {
+ if (blacklist != null) {
+ for (final String white : blacklist) {
+ if (name.startsWith(white)) {
+ throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ }
+ }
+ }
+ return name;
+ }
+ }
}