commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rmannibu...@apache.org
Subject svn commit: r1716850 - /commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java
Date Fri, 27 Nov 2015 11:49:19 GMT
Author: rmannibucau
Date: Fri Nov 27 11:49:19 2015
New Revision: 1716850

URL: http://svn.apache.org/viewvc?rev=1716850&view=rev
Log:
JCS-155 fixing potential deserialization issue

Modified:
    commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java

Modified: commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java
URL: http://svn.apache.org/viewvc/commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java?rev=1716850&r1=1716849&r2=1716850&view=diff
==============================================================================
--- commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java
(original)
+++ commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java
Fri Nov 27 11:49:19 2015
@@ -26,6 +26,10 @@ import java.lang.reflect.Proxy;
 
 public class ObjectInputStreamClassLoaderAware extends ObjectInputStream
 {
+    private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(System.getProperty(
+        "jcs.BlacklistClassResolver",
+        "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split("
*, *"));
+
     private final ClassLoader classLoader;
 
     public ObjectInputStreamClassLoaderAware(final InputStream in, final ClassLoader classLoader)
throws IOException
@@ -37,7 +41,7 @@ public class ObjectInputStreamClassLoade
     @Override
     protected Class<?> resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException
     {
-        return Class.forName(desc.getName(), false, classLoader);
+        return Class.forName(BLACKLIST_CLASSES.check(desc.getName()), false, classLoader);
     }
 
     @Override
@@ -59,4 +63,22 @@ public class ObjectInputStreamClassLoade
         }
     }
 
+    private static final class BlacklistClassResolver {
+        private final String[] blacklist;
+
+        protected BlacklistClassResolver(final String[] blacklist) {
+            this.blacklist = blacklist;
+        }
+
+        public final String check(final String name) {
+            if (blacklist != null) {
+                for (final String white : blacklist) {
+                    if (name.startsWith(white)) {
+                        throw new SecurityException(name + " is not whitelisted as deserialisable,
prevented before loading.");
+                    }
+                }
+            }
+            return name;
+        }
+    }
 }



Mime
View raw message