You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by rm...@apache.org on 2015/11/27 13:42:54 UTC
svn commit: r1716865 -
/commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java
Author: rmannibucau
Date: Fri Nov 27 12:42:53 2015
New Revision: 1716865
URL: http://svn.apache.org/viewvc?rev=1716865&view=rev
Log:
better whitelist handling in BlacklistClassResolver
Modified:
commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java
Modified: commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java
URL: http://svn.apache.org/viewvc/commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java?rev=1716865&r1=1716864&r2=1716865&view=diff
==============================================================================
--- commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java (original)
+++ commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java Fri Nov 27 12:42:53 2015
@@ -24,61 +24,72 @@ import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.lang.reflect.Proxy;
-public class ObjectInputStreamClassLoaderAware extends ObjectInputStream
-{
- private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(System.getProperty(
- "jcs.BlacklistClassResolver",
- "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split(" *, *"));
-
+public class ObjectInputStreamClassLoaderAware extends ObjectInputStream {
private final ClassLoader classLoader;
- public ObjectInputStreamClassLoaderAware(final InputStream in, final ClassLoader classLoader) throws IOException
- {
+ public ObjectInputStreamClassLoaderAware(final InputStream in, final ClassLoader classLoader) throws IOException {
super(in);
this.classLoader = classLoader != null ? classLoader : Thread.currentThread().getContextClassLoader();
}
@Override
- protected Class<?> resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException
- {
- return Class.forName(BLACKLIST_CLASSES.check(desc.getName()), false, classLoader);
+ protected Class<?> resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException {
+ return Class.forName(BlacklistClassResolver.DEFAULT.check(desc.getName()), false, classLoader);
}
@Override
- protected Class resolveProxyClass(final String[] interfaces) throws IOException, ClassNotFoundException
- {
+ protected Class resolveProxyClass(final String[] interfaces) throws IOException, ClassNotFoundException {
final Class[] cinterfaces = new Class[interfaces.length];
- for (int i = 0; i < interfaces.length; i++)
- {
+ for (int i = 0; i < interfaces.length; i++) {
cinterfaces[i] = Class.forName(interfaces[i], false, classLoader);
}
- try
- {
+ try {
return Proxy.getProxyClass(classLoader, cinterfaces);
- }
- catch (IllegalArgumentException e)
- {
+ } catch (IllegalArgumentException e) {
throw new ClassNotFoundException(null, e);
}
}
- private static final class BlacklistClassResolver {
+ private static class BlacklistClassResolver {
+ private static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver(
+ toArray(System.getProperty(
+ "jcs.serialization.class.blacklist",
+ "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan")),
+ toArray(System.getProperty("jcs.serialization.class.whitelist")));
+
private final String[] blacklist;
+ private final String[] whitelist;
- protected BlacklistClassResolver(final String[] blacklist) {
+ protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) {
+ this.whitelist = whitelist;
this.blacklist = blacklist;
}
+ protected boolean isBlacklisted(final String name) {
+ return (whitelist != null && !contains(whitelist, name)) || contains(blacklist, name);
+ }
+
public final String check(final String name) {
- if (blacklist != null) {
- for (final String white : blacklist) {
+ if (isBlacklisted(name)) {
+ throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ }
+ return name;
+ }
+
+ private static String[] toArray(final String property) {
+ return property == null ? null : property.split(" *, *");
+ }
+
+ private static boolean contains(final String[] list, String name) {
+ if (list != null) {
+ for (final String white : list) {
if (name.startsWith(white)) {
- throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ return true;
}
}
}
- return name;
+ return false;
}
}
}