You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Olof Larsson (Jira)" <ji...@apache.org> on 2019/11/06 08:45:00 UTC
[jira] [Updated] (HTTPCLIENT-2023) Whitelist Char Array in
DefaultHttpCacheEntrySerializer
[ https://issues.apache.org/jira/browse/HTTPCLIENT-2023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Olof Larsson updated HTTPCLIENT-2023:
-------------------------------------
Description:
*Intro*
Please add char array to ALLOWED_CLASS_PATTERNS in DefaultHttpCacheEntrySerializer.
*Further Explanation*
The current ALLOWED_CLASS_PATTERNS looks like this:
{code:java}
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
Pattern.compile("^\\[B$")));
{code}
As we can se byte arrays are allowed (at the end) but not char arrays. This currently blocks me from upgrading from 4.5.8 to 4.5.10 because the HttpCacheEntry may contain char arrays.
The field "HttpCacheEntry.responseHeaders.headers" can be of the implementing type "BufferedHeader" which contains a "private final CharArrayBuffer buffer;" field, which contains "private char[] buffer;".
*Proposed Solution*
Maybe it would make sense to *whitelist all arrays of primitives* (as opposed to just arrays of bytes)? That way future code changes does not risk breaking the DefaultHttpCacheEntrySerializer?
The code might look something like this?
{code:java}
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
Pattern.compile("^(?:\\[+L)?org\\.apache\\.http\\..*$"),
Pattern.compile("^(?:\\[+L)?java\\.util\\..*$"),
Pattern.compile("^(?:\\[+L)?java\\.lang\\..*$"),
Pattern.compile("^\\[+Z$"), // boolean
Pattern.compile("^\\[+B$"), // byte
Pattern.compile("^\\[+C$"), // char
Pattern.compile("^\\[+D$"), // double
Pattern.compile("^\\[+F$"), // float
Pattern.compile("^\\[+I$"), // int
Pattern.compile("^\\[+J$"), // long
Pattern.compile("^\\[+S$") // short
));
{code}
Note that I removed groups where unnecessary (to avoid capturing) and made the required group non capturing "?:" as well as added support for arrays of arrays of arrays.
was:
*Intro*
Please add char array to ALLOWED_CLASS_PATTERNS in DefaultHttpCacheEntrySerializer.
*Further Explanation*
The current ALLOWED_CLASS_PATTERNS looks like this:
{code:java}
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
Pattern.compile("^\\[B$")));
{code}
As we can se byte arrays are allowed (at the end) but not char arrays. This currently blocks me from upgrading from 4.5.8 to 4.5.10 because the HttpCacheEntry may contain char arrays.
The field "HttpCacheEntry.responseHeaders.headers" can be of the implementing type "BufferedHeader" which contains a "private final CharArrayBuffer buffer;" field, which contains "private char[] buffer;".
*Proposed Solution*
Maybe it would make sense to *whitelist all arrays of primitives* (as opposed to just arrays of bytes)? That way future code changes does not risk breaking the DefaultHttpCacheEntrySerializer?
The code might look something like this?
{code:java}
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
Pattern.compile("^(?:\\[+L)?org\\.apache\\.http\\..*$"),
Pattern.compile("^(?:\\[+L)?java\\.util\\..*$"),
Pattern.compile("^(?:\\[+L)?java\\.lang\\..*$"),
Pattern.compile("^\\[+Z$"), // boolean
Pattern.compile("^\\[+B$"), // byte
Pattern.compile("^\\[+C$"), // char
Pattern.compile("^\\[+D$"), // double
Pattern.compile("^\\[+F$"), // float
Pattern.compile("^\\[+I$"), // int
Pattern.compile("^\\[+J$"), // long
Pattern.compile("^\\[+S$") // short
));
{code}
Note that I removed groups where unnecessary (to avoid capturing) and made the required group non capturing "?:" as well as added support for arrays of arrays of arrays as well.
> Whitelist Char Array in DefaultHttpCacheEntrySerializer
> -------------------------------------------------------
>
> Key: HTTPCLIENT-2023
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2023
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpCache
> Affects Versions: 4.5.10
> Reporter: Olof Larsson
> Priority: Major
>
> *Intro*
> Please add char array to ALLOWED_CLASS_PATTERNS in DefaultHttpCacheEntrySerializer.
> *Further Explanation*
> The current ALLOWED_CLASS_PATTERNS looks like this:
> {code:java}
> private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
> Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
> Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
> Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
> Pattern.compile("^\\[B$")));
> {code}
> As we can se byte arrays are allowed (at the end) but not char arrays. This currently blocks me from upgrading from 4.5.8 to 4.5.10 because the HttpCacheEntry may contain char arrays.
> The field "HttpCacheEntry.responseHeaders.headers" can be of the implementing type "BufferedHeader" which contains a "private final CharArrayBuffer buffer;" field, which contains "private char[] buffer;".
> *Proposed Solution*
> Maybe it would make sense to *whitelist all arrays of primitives* (as opposed to just arrays of bytes)? That way future code changes does not risk breaking the DefaultHttpCacheEntrySerializer?
> The code might look something like this?
> {code:java}
> private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
> Pattern.compile("^(?:\\[+L)?org\\.apache\\.http\\..*$"),
> Pattern.compile("^(?:\\[+L)?java\\.util\\..*$"),
> Pattern.compile("^(?:\\[+L)?java\\.lang\\..*$"),
> Pattern.compile("^\\[+Z$"), // boolean
> Pattern.compile("^\\[+B$"), // byte
> Pattern.compile("^\\[+C$"), // char
> Pattern.compile("^\\[+D$"), // double
> Pattern.compile("^\\[+F$"), // float
> Pattern.compile("^\\[+I$"), // int
> Pattern.compile("^\\[+J$"), // long
> Pattern.compile("^\\[+S$") // short
> ));
> {code}
> Note that I removed groups where unnecessary (to avoid capturing) and made the required group non capturing "?:" as well as added support for arrays of arrays of arrays.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org