You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by an...@apache.org on 2015/12/03 02:20:34 UTC
[1/2] tomee git commit: commons-collections 3.2.2
Repository: tomee
Updated Branches:
refs/heads/tomee-1.7.x 62c58ff49 -> 8d0f5b8da
commons-collections 3.2.2
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/9897c846
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/9897c846
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/9897c846
Branch: refs/heads/tomee-1.7.x
Commit: 9897c84621966cd9dd2f72e02d16cf06b547c57c
Parents: 62c58ff
Author: AndyGee <an...@gmx.de>
Authored: Thu Dec 3 02:19:19 2015 +0100
Committer: AndyGee <an...@gmx.de>
Committed: Thu Dec 3 02:19:19 2015 +0100
----------------------------------------------------------------------
examples/deltaspike-fullstack/pom.xml | 2 +-
.../simple-osgi/simple-osgi-camel-client/pom.xml | 1 -
examples/troubleshooting/README.md | 2 +-
pom.xml | 19 ++++++++++++-------
4 files changed, 14 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tomee/blob/9897c846/examples/deltaspike-fullstack/pom.xml
----------------------------------------------------------------------
diff --git a/examples/deltaspike-fullstack/pom.xml b/examples/deltaspike-fullstack/pom.xml
index fc06d46..ccafd05 100644
--- a/examples/deltaspike-fullstack/pom.xml
+++ b/examples/deltaspike-fullstack/pom.xml
@@ -130,7 +130,7 @@
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
- <version>3.2.1</version>
+ <version>3.2.2</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
http://git-wip-us.apache.org/repos/asf/tomee/blob/9897c846/examples/simple-osgi/simple-osgi-camel-client/pom.xml
----------------------------------------------------------------------
diff --git a/examples/simple-osgi/simple-osgi-camel-client/pom.xml b/examples/simple-osgi/simple-osgi-camel-client/pom.xml
index 8b08d1b..7096317 100644
--- a/examples/simple-osgi/simple-osgi-camel-client/pom.xml
+++ b/examples/simple-osgi/simple-osgi-camel-client/pom.xml
@@ -42,7 +42,6 @@
org.superbiz.osgi.calculator,
org.apache.openejb.client;version="[4.0,5.0)"
</Import-Package>
- <Include-Resource>${pom.basedir}/src/main/resources</Include-Resource>
</instructions>
</configuration>
</plugin>
http://git-wip-us.apache.org/repos/asf/tomee/blob/9897c846/examples/troubleshooting/README.md
----------------------------------------------------------------------
diff --git a/examples/troubleshooting/README.md b/examples/troubleshooting/README.md
index bde0325..094ac12 100644
--- a/examples/troubleshooting/README.md
+++ b/examples/troubleshooting/README.md
@@ -300,7 +300,7 @@ Title: Troubleshooting
2011-10-29 11:50:20,012 - DEBUG - Descriptors path: jar:file:/Users/dblevins/.m2/repository/org/apache/xbean/xbean-asm-shaded/3.8/xbean-asm-shaded-3.8.jar!/
2011-10-29 11:50:20,012 - DEBUG - Descriptors path: jar:file:/Users/dblevins/.m2/repository/org/apache/openwebbeans/openwebbeans-ee-common/1.1.1/openwebbeans-ee-common-1.1.1.jar!/
2011-10-29 11:50:20,012 - DEBUG - Descriptors path: jar:file:/Users/dblevins/.m2/repository/commons-pool/commons-pool/1.5.6/commons-pool-1.5.6.jar!/
- 2011-10-29 11:50:20,012 - DEBUG - Descriptors path: jar:file:/Users/dblevins/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar!/
+ 2011-10-29 11:50:20,012 - DEBUG - Descriptors path: jar:file:/Users/dblevins/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.1.jar!/
2011-10-29 11:50:20,013 - DEBUG - Descriptors path: jar:file:/Users/dblevins/.m2/repository/commons-logging/commons-logging-api/1.1/commons-logging-api-1.1.jar!/
2011-10-29 11:50:20,013 - DEBUG - Descriptors path: jar:file:/Users/dblevins/.m2/repository/org/apache/openwebbeans/openwebbeans-impl/1.1.1/openwebbeans-impl-1.1.1.jar!/
2011-10-29 11:50:20,013 - DEBUG - Descriptors path: jar:file:/Users/dblevins/.m2/repository/org/apache/xbean/xbean-finder-shaded/3.8/xbean-finder-shaded-3.8.jar!/
http://git-wip-us.apache.org/repos/asf/tomee/blob/9897c846/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 6ae0220..40d4980 100644
--- a/pom.xml
+++ b/pom.xml
@@ -18,7 +18,8 @@
<!-- $Rev$ $Date$ -->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
@@ -109,15 +110,15 @@
<xbeanVersion>4.2</xbeanVersion>
<!-- OSGi bundles properties -->
- <openejb.bundle.activator />
+ <openejb.bundle.activator/>
<openejb.osgi.import.pkg>*</openejb.osgi.import.pkg>
<openejb.osgi.import>${openejb.osgi.import.pkg}</openejb.osgi.import>
<openejb.osgi.export.pkg>org.apache.openejb</openejb.osgi.export.pkg>
<openejb.osgi.export>${openejb.osgi.export.pkg}*;version=${openejb.osgi.export.version}</openejb.osgi.export>
- <openejb.osgi.fragment />
- <openejb.osgi.require />
+ <openejb.osgi.fragment/>
+ <openejb.osgi.require/>
<openejb.osgi.private.pkg>!*</openejb.osgi.private.pkg>
- <openejb.osgi.dynamic.import.pkg />
+ <openejb.osgi.dynamic.import.pkg/>
<openejb.osgi.export.version>${project.version}</openejb.osgi.export.version>
<openejb.osgi.dynamic.import>${openejb.osgi.dynamic.import.pkg}</openejb.osgi.dynamic.import>
<openejb.osgi.symbolic.name>${project.groupId}.${project.artifactId}</openejb.osgi.symbolic.name>
@@ -154,7 +155,7 @@
<commons-logging-api.version>1.1</commons-logging-api.version>
<commons-dbcp.version>1.4</commons-dbcp.version>
<commons-pool.version>1.5.7</commons-pool.version>
- <commons-collections.version>3.2.1</commons-collections.version>
+ <commons-collections.version>3.2.2</commons-collections.version>
<commons-codec.version>1.9</commons-codec.version>
<commons-fileupload.version>1.3.1</commons-fileupload.version>
<commons-discovery.version>0.5</commons-discovery.version>
@@ -340,7 +341,7 @@
<!-- the following settings are important when working with git -->
<localCheckout>true</localCheckout>
<pushChanges>false</pushChanges>
- <releaseProfiles />
+ <releaseProfiles/>
</configuration>
</plugin>
@@ -1540,6 +1541,10 @@
<artifactId>geronimo-jta_1.1_spec</artifactId>
</exclusion>
<exclusion>
+ <groupId>commons-collections</groupId>
+ <artifactId>commons-collections</artifactId>
+ </exclusion>
+ <exclusion>
<groupId>commons-pool</groupId>
<artifactId>commons-pool</artifactId>
</exclusion>
[2/2] tomee git commit: TOMEE-1669 blacklist
org.codehaus.groovy.runtime., org.apache.commons.collections.functors.,
org.apache.xalan in our custom ObjectInputStream
Posted by an...@apache.org.
TOMEE-1669 blacklist org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan in our custom ObjectInputStream
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/8d0f5b8d
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/8d0f5b8d
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/8d0f5b8d
Branch: refs/heads/tomee-1.7.x
Commit: 8d0f5b8daf1e3a626a37d17ef45d8b2e3f743f71
Parents: 9897c84
Author: Romain Manni-Bucau <rm...@gmail.com>
Authored: Fri Nov 27 12:57:36 2015 +0100
Committer: AndyGee <an...@gmx.de>
Committed: Thu Dec 3 02:19:41 2015 +0100
----------------------------------------------------------------------
.../openejb/core/ivm/EjbObjectInputStream.java | 8 ++-
.../core/rmi/BlacklistClassResolver.java | 60 ++++++++++++++++++++
.../timer/quartz/QuartzObjectInputStream.java | 3 +-
.../core/rmi/BlacklistClassResolverTest.java | 41 +++++++++++++
.../openejb/client/EjbObjectInputStream.java | 43 +++++++++++++-
5 files changed, 151 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tomee/blob/8d0f5b8d/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java b/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java
index 1f14489..9324984 100644
--- a/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java
+++ b/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/EjbObjectInputStream.java
@@ -17,6 +17,8 @@
package org.apache.openejb.core.ivm;
+import org.apache.openejb.core.rmi.BlacklistClassResolver;
+
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
@@ -32,9 +34,11 @@ public class EjbObjectInputStream extends ObjectInputStream {
super(in);
}
+ @Override
protected Class resolveClass(final ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
+ final String checkedName = BlacklistClassResolver.DEFAULT.check(classDesc.getName());
try {
- return Class.forName(classDesc.getName(), false, getClassloader());
+ return Class.forName(checkedName, false, getClassloader());
} catch (final ClassNotFoundException e) {
final String n = classDesc.getName();
if (n.equals("boolean")) {
@@ -62,7 +66,7 @@ public class EjbObjectInputStream extends ObjectInputStream {
return double.class;
}
- return getClass().getClassLoader().loadClass(classDesc.getName()); // if CCL is not correct
+ return getClass().getClassLoader().loadClass(checkedName); // if CCL is not correct
}
}
http://git-wip-us.apache.org/repos/asf/tomee/blob/8d0f5b8d/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
new file mode 100644
index 0000000..ffefc3a
--- /dev/null
+++ b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.openejb.core.rmi;
+
+public class BlacklistClassResolver {
+ private static final String[] WHITELIST = toArray(System.getProperty("tomee.serialization.class.whitelist"));
+ private static final String[] BLACKLIST = toArray(System.getProperty("tomee.serialization.class.blacklist"));
+
+ public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver(
+ new String[] { "org.codehaus.groovy.runtime.", "org.apache.commons.collections.functors.", "org.apache.xalan" },
+ null);
+
+ private final String[] blacklist;
+ private final String[] whitelist;
+
+ protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) {
+ this.whitelist = whitelist;
+ this.blacklist = blacklist;
+ }
+
+ protected boolean isBlacklisted(final String name) {
+ return !contains(whitelist, name) && contains(blacklist, name);
+ }
+
+ public final String check(final String name) {
+ if (isBlacklisted(name)) {
+ throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ }
+ return name;
+ }
+
+ private static String[] toArray(final String property) {
+ return property == null ? null : property.split(" *, *");
+ }
+
+ private static boolean contains(final String[] list, String name) {
+ if (list != null) {
+ for (final String white : list) {
+ if (name.startsWith(white)) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+}
http://git-wip-us.apache.org/repos/asf/tomee/blob/8d0f5b8d/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java b/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java
index f0c757c..dc2525e 100644
--- a/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java
+++ b/container/openejb-core/src/main/java/org/apache/openejb/core/timer/quartz/QuartzObjectInputStream.java
@@ -17,6 +17,7 @@
package org.apache.openejb.core.timer.quartz;
+import org.apache.openejb.core.rmi.BlacklistClassResolver;
import org.apache.openejb.quartz.spi.ClassLoadHelper;
import java.io.IOException;
@@ -34,6 +35,6 @@ public class QuartzObjectInputStream extends ObjectInputStream {
@Override
protected Class<?> resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException, IOException {
- return loader.loadClass(desc.getName());
+ return loader.loadClass(BlacklistClassResolver.DEFAULT.check(desc.getName()));
}
}
http://git-wip-us.apache.org/repos/asf/tomee/blob/8d0f5b8d/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java
----------------------------------------------------------------------
diff --git a/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java b/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java
new file mode 100644
index 0000000..1174be2
--- /dev/null
+++ b/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.openejb.core.rmi;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class BlacklistClassResolverTest {
+ @Test
+ public void blacklistDefault() {
+ assertTrue(BlacklistClassResolver.DEFAULT.isBlacklisted("org.codehaus.groovy.runtime.Foo"));
+ assertTrue(BlacklistClassResolver.DEFAULT.isBlacklisted("org.apache.commons.collections.functors.Foo"));
+ assertTrue(BlacklistClassResolver.DEFAULT.isBlacklisted("org.apache.xalan.Foo"));
+ }
+
+ @Test
+ public void implicitWhiteList() {
+ assertFalse(BlacklistClassResolver.DEFAULT.isBlacklisted("org.apache.tomee.Foo"));
+ }
+
+ @Test
+ public void whiteList() {
+ assertFalse(new BlacklistClassResolver(null, new String[] { "org.apache.xalan" }).isBlacklisted("org.apache.xalan.Foo"));
+ }
+}
http://git-wip-us.apache.org/repos/asf/tomee/blob/8d0f5b8d/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
----------------------------------------------------------------------
diff --git a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
index 6254f78..a5992cc 100644
--- a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
+++ b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
@@ -26,6 +26,9 @@ import java.lang.reflect.Proxy;
* @version $Rev$ $Date$
*/
public class EjbObjectInputStream extends ObjectInputStream {
+ public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver(
+ new String[]{"org.codehaus.groovy.runtime.", "org.apache.commons.collections.functors.", "org.apache.xalan"},
+ null);
public EjbObjectInputStream(final InputStream in) throws IOException {
super(in);
@@ -33,7 +36,7 @@ public class EjbObjectInputStream extends ObjectInputStream {
@Override
protected Class<?> resolveClass(final ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
- final String n = classDesc.getName();
+ final String n = DEFAULT.check(classDesc.getName());
final ClassLoader classloader = getClassloader();
try {
return Class.forName(n, false, classloader);
@@ -87,4 +90,42 @@ public class EjbObjectInputStream extends ObjectInputStream {
return Thread.currentThread().getContextClassLoader();
}
+ public static class BlacklistClassResolver {
+ private static final String[] WHITELIST = toArray(System.getProperty("tomee.serialization.class.whitelist"));
+ private static final String[] BLACKLIST = toArray(System.getProperty("tomee.serialization.class.blacklist"));
+
+ private final String[] blacklist;
+ private final String[] whitelist;
+
+ protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) {
+ this.whitelist = whitelist;
+ this.blacklist = blacklist;
+ }
+
+ protected boolean isBlacklisted(final String name) {
+ return !contains(whitelist, name) && contains(blacklist, name);
+ }
+
+ public final String check(final String name) {
+ if (isBlacklisted(name)) {
+ throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ }
+ return name;
+ }
+
+ private static String[] toArray(final String property) {
+ return property == null ? null : property.split(" *, *");
+ }
+
+ private static boolean contains(final String[] list, String name) {
+ if (list != null) {
+ for (final String white : list) {
+ if (name.startsWith(white)) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+ }
}