openwebbeans-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rmannibu...@apache.org
Subject svn commit: r1716853 - /openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java
Date Fri, 27 Nov 2015 11:52:56 GMT
Author: rmannibucau
Date: Fri Nov 27 11:52:55 2015
New Revision: 1716853

URL: http://svn.apache.org/viewvc?rev=1716853&view=rev
Log:
OWB-1100 blacklist org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan
in OwbCustomObjectInputStream

Modified:
    openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java

Modified: openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java
URL: http://svn.apache.org/viewvc/openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java?rev=1716853&r1=1716852&r2=1716853&view=diff
==============================================================================
--- openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java
(original)
+++ openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java
Fri Nov 27 11:52:55 2015
@@ -26,6 +26,10 @@ import java.lang.reflect.Proxy;
 
 public class OwbCustomObjectInputStream extends ObjectInputStream
 {
+    private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(System.getProperty(
+        "openwebbeans.BlacklistClassResolver",
+        "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split("
*, *"));
+
     private ClassLoader classLoader;
 
     public OwbCustomObjectInputStream(InputStream in, ClassLoader classLoader) throws IOException
@@ -37,7 +41,7 @@ public class OwbCustomObjectInputStream
     @Override
     protected Class<?> resolveClass(ObjectStreamClass desc) throws ClassNotFoundException
     {
-        return Class.forName(desc.getName(), false, classLoader);
+        return Class.forName(BLACKLIST_CLASSES.check(desc.getName()), false, classLoader);
     }
 
     @Override
@@ -58,4 +62,29 @@ public class OwbCustomObjectInputStream
             throw new ClassNotFoundException(null, e);
         }
     }
+
+    private static final class BlacklistClassResolver
+    {
+        private final String[] blacklist;
+
+        protected BlacklistClassResolver(final String[] blacklist)
+        {
+            this.blacklist = blacklist;
+        }
+
+        public final String check(final String name)
+        {
+            if (blacklist != null)
+            {
+                for (final String white : blacklist)
+                {
+                    if (name.startsWith(white))
+                    {
+                        throw new SecurityException(name + " is not whitelisted as deserialisable,
prevented before loading.");
+                    }
+                }
+            }
+            return name;
+        }
+    }
 }



Mime
View raw message