You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Olof Larsson (Jira)" <ji...@apache.org> on 2019/11/06 08:45:00 UTC

[jira] [Updated] (HTTPCLIENT-2023) Whitelist Char Array in DefaultHttpCacheEntrySerializer

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-2023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Olof Larsson updated HTTPCLIENT-2023:
-------------------------------------
    Description: 
*Intro*
 Please add char array to ALLOWED_CLASS_PATTERNS in DefaultHttpCacheEntrySerializer.

*Further Explanation*
 The current ALLOWED_CLASS_PATTERNS looks like this:
{code:java}
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
        Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
        Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
        Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
        Pattern.compile("^\\[B$")));
{code}
As we can se byte arrays are allowed (at the end) but not char arrays. This currently blocks me from upgrading from 4.5.8 to 4.5.10 because the HttpCacheEntry may contain char arrays.

The field "HttpCacheEntry.responseHeaders.headers" can be of the implementing type "BufferedHeader" which contains a "private final CharArrayBuffer buffer;" field, which contains "private char[] buffer;".

*Proposed Solution*
 Maybe it would make sense to *whitelist all arrays of primitives* (as opposed to just arrays of bytes)? That way future code changes does not risk breaking the DefaultHttpCacheEntrySerializer?

The code might look something like this?
{code:java}
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
        Pattern.compile("^(?:\\[+L)?org\\.apache\\.http\\..*$"),
        Pattern.compile("^(?:\\[+L)?java\\.util\\..*$"),
        Pattern.compile("^(?:\\[+L)?java\\.lang\\..*$"),
        Pattern.compile("^\\[+Z$"), // boolean
        Pattern.compile("^\\[+B$"), // byte
        Pattern.compile("^\\[+C$"), // char
        Pattern.compile("^\\[+D$"), // double
        Pattern.compile("^\\[+F$"), // float
        Pattern.compile("^\\[+I$"), // int
        Pattern.compile("^\\[+J$"), // long
        Pattern.compile("^\\[+S$") // short
));
{code}
Note that I removed groups where unnecessary (to avoid capturing) and made the required group non capturing "?:" as well as added support for arrays of arrays of arrays.

  was:
*Intro*
 Please add char array to ALLOWED_CLASS_PATTERNS in DefaultHttpCacheEntrySerializer.

*Further Explanation*
 The current ALLOWED_CLASS_PATTERNS looks like this:
{code:java}
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
        Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
        Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
        Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
        Pattern.compile("^\\[B$")));
{code}
As we can se byte arrays are allowed (at the end) but not char arrays. This currently blocks me from upgrading from 4.5.8 to 4.5.10 because the HttpCacheEntry may contain char arrays.

The field "HttpCacheEntry.responseHeaders.headers" can be of the implementing type "BufferedHeader" which contains a "private final CharArrayBuffer buffer;" field, which contains "private char[] buffer;".

*Proposed Solution*
 Maybe it would make sense to *whitelist all arrays of primitives* (as opposed to just arrays of bytes)? That way future code changes does not risk breaking the DefaultHttpCacheEntrySerializer?

The code might look something like this?
{code:java}
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
        Pattern.compile("^(?:\\[+L)?org\\.apache\\.http\\..*$"),
        Pattern.compile("^(?:\\[+L)?java\\.util\\..*$"),
        Pattern.compile("^(?:\\[+L)?java\\.lang\\..*$"),
        Pattern.compile("^\\[+Z$"), // boolean
        Pattern.compile("^\\[+B$"), // byte
        Pattern.compile("^\\[+C$"), // char
        Pattern.compile("^\\[+D$"), // double
        Pattern.compile("^\\[+F$"), // float
        Pattern.compile("^\\[+I$"), // int
        Pattern.compile("^\\[+J$"), // long
        Pattern.compile("^\\[+S$") // short
));
{code}
Note that I removed groups where unnecessary (to avoid capturing) and made the required group non capturing "?:" as well as added support for arrays of arrays of arrays as well.


> Whitelist Char Array in DefaultHttpCacheEntrySerializer
> -------------------------------------------------------
>
>                 Key: HTTPCLIENT-2023
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2023
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpCache
>    Affects Versions: 4.5.10
>            Reporter: Olof Larsson
>            Priority: Major
>
> *Intro*
>  Please add char array to ALLOWED_CLASS_PATTERNS in DefaultHttpCacheEntrySerializer.
> *Further Explanation*
>  The current ALLOWED_CLASS_PATTERNS looks like this:
> {code:java}
> private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
>         Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
>         Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
>         Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
>         Pattern.compile("^\\[B$")));
> {code}
> As we can se byte arrays are allowed (at the end) but not char arrays. This currently blocks me from upgrading from 4.5.8 to 4.5.10 because the HttpCacheEntry may contain char arrays.
> The field "HttpCacheEntry.responseHeaders.headers" can be of the implementing type "BufferedHeader" which contains a "private final CharArrayBuffer buffer;" field, which contains "private char[] buffer;".
> *Proposed Solution*
>  Maybe it would make sense to *whitelist all arrays of primitives* (as opposed to just arrays of bytes)? That way future code changes does not risk breaking the DefaultHttpCacheEntrySerializer?
> The code might look something like this?
> {code:java}
> private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
>         Pattern.compile("^(?:\\[+L)?org\\.apache\\.http\\..*$"),
>         Pattern.compile("^(?:\\[+L)?java\\.util\\..*$"),
>         Pattern.compile("^(?:\\[+L)?java\\.lang\\..*$"),
>         Pattern.compile("^\\[+Z$"), // boolean
>         Pattern.compile("^\\[+B$"), // byte
>         Pattern.compile("^\\[+C$"), // char
>         Pattern.compile("^\\[+D$"), // double
>         Pattern.compile("^\\[+F$"), // float
>         Pattern.compile("^\\[+I$"), // int
>         Pattern.compile("^\\[+J$"), // long
>         Pattern.compile("^\\[+S$") // short
> ));
> {code}
> Note that I removed groups where unnecessary (to avoid capturing) and made the required group non capturing "?:" as well as added support for arrays of arrays of arrays.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org