You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by rm...@apache.org on 2016/03/01 16:13:51 UTC
tomee git commit: switching tomee.serialization.class.blacklist
defaults to * in our packaged distributions
Repository: tomee
Updated Branches:
refs/heads/master 5689b25ac -> 58cdbbef9
switching tomee.serialization.class.blacklist defaults to * in our packaged distributions
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/58cdbbef
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/58cdbbef
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/58cdbbef
Branch: refs/heads/master
Commit: 58cdbbef9c77ab2b44870f9d606593b49cde76d9
Parents: 5689b25
Author: Romain manni-Bucau <rm...@gmail.com>
Authored: Tue Mar 1 16:13:38 2016 +0100
Committer: Romain manni-Bucau <rm...@gmail.com>
Committed: Tue Mar 1 16:13:38 2016 +0100
----------------------------------------------------------------------
.../java/org/apache/openejb/arquillian/common/Setup.java | 5 +++++
.../openejb/arquillian/common/TomEEConfiguration.java | 9 +++++++++
.../arquillian/embedded/EmbeddedTomEEConfiguration.java | 10 +++++++++-
.../apache/openejb/core/rmi/BlacklistClassResolver.java | 2 +-
.../openejb/core/rmi/BlacklistClassResolverTest.java | 8 ++++++++
.../org/apache/openejb/client/EjbObjectInputStream.java | 2 +-
.../main/java/org/apache/tomee/installer/Installer.java | 8 ++++++++
7 files changed, 41 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/Setup.java
----------------------------------------------------------------------
diff --git a/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/Setup.java b/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/Setup.java
index eab496c..7db26ba 100644
--- a/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/Setup.java
+++ b/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/Setup.java
@@ -303,6 +303,11 @@ public class Setup {
properties.put("openejb.session.manager", "org.apache.tomee.catalina.session.QuickSessionManager");
}
+ if (configuration.isUnsafeEjbd() && "*".equals(properties.getProperty("tomee.serialization.class.blacklist", "-").trim())) {
+ properties.remove("tomee.serialization.class.blacklist");
+ properties.put("tomee.serialization.class.whitelist", "*");
+ }
+
try {
IO.writeProperties(file, properties);
} catch (final IOException e) {
http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/TomEEConfiguration.java
----------------------------------------------------------------------
diff --git a/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/TomEEConfiguration.java b/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/TomEEConfiguration.java
index 230261c..265cb35 100644
--- a/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/TomEEConfiguration.java
+++ b/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/TomEEConfiguration.java
@@ -45,6 +45,7 @@ public class TomEEConfiguration implements ContainerConfiguration {
protected String portRange = ""; // only used if port < 0, empty means whatever, can be "1024-65535"
protected String preloadClasses; // just a client classloader.loadClass(), value is comma separated qualified names. Useful with maven resolver for instance
protected boolean quickSession = true;
+ protected boolean unsafeEjbd = true;
protected boolean unpackWars = true;
protected String properties = "";
@@ -53,6 +54,14 @@ public class TomEEConfiguration implements ContainerConfiguration {
protected boolean singleDumpByArchiveName;
protected Collection<String> singleDeploymentByArchiveName = Collections.emptyList();
+ public boolean isUnsafeEjbd() {
+ return unsafeEjbd;
+ }
+
+ public void setUnsafeEjbd(final boolean unsafeEjbd) {
+ this.unsafeEjbd = unsafeEjbd;
+ }
+
public boolean isUnpackWars() {
return unpackWars;
}
http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/arquillian/arquillian-tomee-embedded/src/main/java/org/apache/openejb/arquillian/embedded/EmbeddedTomEEConfiguration.java
----------------------------------------------------------------------
diff --git a/arquillian/arquillian-tomee-embedded/src/main/java/org/apache/openejb/arquillian/embedded/EmbeddedTomEEConfiguration.java b/arquillian/arquillian-tomee-embedded/src/main/java/org/apache/openejb/arquillian/embedded/EmbeddedTomEEConfiguration.java
index 0d18097..ea7ea42 100644
--- a/arquillian/arquillian-tomee-embedded/src/main/java/org/apache/openejb/arquillian/embedded/EmbeddedTomEEConfiguration.java
+++ b/arquillian/arquillian-tomee-embedded/src/main/java/org/apache/openejb/arquillian/embedded/EmbeddedTomEEConfiguration.java
@@ -172,7 +172,15 @@ public class EmbeddedTomEEConfiguration extends TomEEConfiguration {
return new Properties();
}
- return toProperties(properties);
+ final Properties properties = toProperties(this.properties);
+ if (properties != null && isUnsafeEjbd() &&
+ "*".equals(properties.getProperty("tomee.serialization.class.blacklist", "-").trim())) {
+
+ properties.remove("tomee.serialization.class.blacklist");
+ properties.put("tomee.serialization.class.whitelist", "*");
+ }
+
+ return properties;
}
private static Properties toProperties(final String value) {
http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
index 1a07ec8..da34eec 100644
--- a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
+++ b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
@@ -56,7 +56,7 @@ public class BlacklistClassResolver {
private static boolean contains(final String[] list, final String name) {
if (list != null) {
for (final String white : list) {
- if (name.startsWith(white)) {
+ if ("*".equals(white) || name.startsWith(white)) {
return true;
}
}
http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java b/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java
index 1174be2..af1e742 100644
--- a/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java
+++ b/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java
@@ -38,4 +38,12 @@ public class BlacklistClassResolverTest {
public void whiteList() {
assertFalse(new BlacklistClassResolver(null, new String[] { "org.apache.xalan" }).isBlacklisted("org.apache.xalan.Foo"));
}
+
+ @Test
+ public void wildcard() {
+ final BlacklistClassResolver classResolver = new BlacklistClassResolver(new String[]{"*"}, new String[] {"white", "com.white"});
+ assertTrue(classResolver.isBlacklisted("white.Foo"));
+ assertTrue(classResolver.isBlacklisted("com.white.test"));
+ assertTrue(classResolver.isBlacklisted("other.test"));
+ }
}
http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
----------------------------------------------------------------------
diff --git a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
index 9ce9291..7e7155b 100644
--- a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
+++ b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
@@ -123,7 +123,7 @@ public class EjbObjectInputStream extends ObjectInputStream {
private static boolean contains(final String[] list, String name) {
if (list != null) {
for (final String white : list) {
- if (name.startsWith(white)) {
+ if ("*".equals(white) || name.startsWith(white)) {
return true;
}
}
http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
----------------------------------------------------------------------
diff --git a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
index 621c82b..4c76e4e 100644
--- a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
+++ b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
@@ -704,6 +704,14 @@ public class Installer implements InstallerInterface {
systemPropertiesWriter.write("# for more information please see http://tomee.apache.org/properties-listing.html\n");
systemPropertiesWriter.write("\n");
+ systemPropertiesWriter.write(
+ "# allowed packages to be deserialized, by security we denied all by default, " +
+ "tune tomee.serialization.class.whitelist packages to change it\n");
+ systemPropertiesWriter.write("# tomee.remote.support = true\n");
+ systemPropertiesWriter.write("tomee.serialization.class.blacklist = *\n");
+ systemPropertiesWriter.write("# tomee.serialization.class.whitelist = my.package\n");
+
+ systemPropertiesWriter.write("\n");
systemPropertiesWriter.write("# openejb.check.classloader = false\n");
systemPropertiesWriter.write("# openejb.check.classloader.verbose = false\n");