You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dubbo.apache.org by li...@apache.org on 2020/07/03 08:53:50 UTC
[dubbo] branch 2.6.x updated: hessian whitelist (#6388)
This is an automated email from the ASF dual-hosted git repository.
liujun pushed a commit to branch 2.6.x
in repository https://gitbox.apache.org/repos/asf/dubbo.git
The following commit(s) were added to refs/heads/2.6.x by this push:
new 4a8abfd hessian whitelist (#6388)
4a8abfd is described below
commit 4a8abfd0ba16258c3a7a0c30a7421d4361c8aafc
Author: ken.lj <ke...@gmail.com>
AuthorDate: Fri Jul 3 16:53:30 2020 +0800
hessian whitelist (#6388)
---
dependencies-bom/pom.xml | 2 +-
.../hessian2/Hessian2SerializerFactory.java | 28 +++++++++++++++++++++-
2 files changed, 28 insertions(+), 2 deletions(-)
diff --git a/dependencies-bom/pom.xml b/dependencies-bom/pom.xml
index 50e78e2..8ded14c 100644
--- a/dependencies-bom/pom.xml
+++ b/dependencies-bom/pom.xml
@@ -127,7 +127,7 @@
<jaxb_version>2.2.7</jaxb_version>
<activation_version>1.2.0</activation_version>
- <hessian_lite_version>3.2.5</hessian_lite_version>
+ <hessian_lite_version>3.2.8</hessian_lite_version>
<alibaba_spring_context_support_version>1.0.2</alibaba_spring_context_support_version>
<yaml_version>1.17</yaml_version>
</properties>
diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/com/alibaba/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/com/alibaba/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
index d7ed95d..f1bfbc3 100644
--- a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/com/alibaba/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
+++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/com/alibaba/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
@@ -17,10 +17,36 @@
package com.alibaba.dubbo.common.serialize.hessian2;
import com.alibaba.com.caucho.hessian.io.SerializerFactory;
+import com.alibaba.dubbo.common.utils.ConfigUtils;
+import com.alibaba.dubbo.common.utils.StringUtils;
public class Hessian2SerializerFactory extends SerializerFactory {
+ private static final String WHITELIST = "dubbo.application.hessian2.whitelist";
+ private static final String ALLOW = "dubbo.application.hessian2.allow";
+ private static final String DENY = "dubbo.application.hessian2.deny";
- public static final SerializerFactory SERIALIZER_FACTORY = new Hessian2SerializerFactory();
+ public static final SerializerFactory SERIALIZER_FACTORY;
+
+ /**
+ * see https://github.com/ebourg/hessian/commit/cf851f5131707891e723f7f6a9718c2461aed826
+ */
+ static {
+ SERIALIZER_FACTORY = new Hessian2SerializerFactory();
+ String whiteList = ConfigUtils.getProperty(WHITELIST);
+ if ("true".equals(whiteList)) {
+ SERIALIZER_FACTORY.getClassFactory().setWhitelist(true);
+ String allowPattern = ConfigUtils.getProperty(ALLOW);
+ if (StringUtils.isNotEmpty(allowPattern)) {
+ SERIALIZER_FACTORY.getClassFactory().allow(allowPattern);
+ }
+ } else {
+ SERIALIZER_FACTORY.getClassFactory().setWhitelist(false);
+ String denyPattern = ConfigUtils.getProperty(DENY);
+ if (StringUtils.isNotEmpty(denyPattern)) {
+ SERIALIZER_FACTORY.getClassFactory().deny(denyPattern);
+ }
+ }
+ }
private Hessian2SerializerFactory() {
}