openwebbeans-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rmannibu...@apache.org
Subject svn commit: r1716862 - /openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java
Date Fri, 27 Nov 2015 12:38:06 GMT
Author: rmannibucau
Date: Fri Nov 27 12:38:06 2015
New Revision: 1716862

URL: http://svn.apache.org/viewvc?rev=1716862&view=rev
Log:
adding whitelist to BlacklistClassResolver

Modified:
    openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java

Modified: openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java
URL: http://svn.apache.org/viewvc/openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java?rev=1716862&r1=1716861&r2=1716862&view=diff
==============================================================================
--- openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java
(original)
+++ openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/util/OwbCustomObjectInputStream.java
Fri Nov 27 12:38:06 2015
@@ -26,9 +26,11 @@ import java.lang.reflect.Proxy;
 
 public class OwbCustomObjectInputStream extends ObjectInputStream
 {
-    private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(System.getProperty(
-        "openwebbeans.BlacklistClassResolver",
-        "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split("
*, *"));
+    public static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(
+        toArray(System.getProperty(
+            "tomee.serialization.class.blacklist",
+            "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan")),
+        toArray(System.getProperty("tomee.serialization.class.whitelist")));
 
     private ClassLoader classLoader;
 
@@ -63,28 +65,51 @@ public class OwbCustomObjectInputStream
         }
     }
 
-    private static final class BlacklistClassResolver
+    private static String[] toArray(final String property)
+    {
+        return property == null ? null : property.split(" *, *");
+    }
+
+    private static class BlacklistClassResolver
     {
         private final String[] blacklist;
+        private final String[] whitelist;
 
-        protected BlacklistClassResolver(final String[] blacklist)
+        protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist)
         {
+            this.whitelist = whitelist;
             this.blacklist = blacklist;
         }
 
+        protected boolean isBlacklisted(final String name)
+        {
+            return (whitelist != null && !contains(whitelist, name)) || contains(blacklist,
name);
+        }
+
         public final String check(final String name)
         {
-            if (blacklist != null)
+            if (isBlacklisted(name))
             {
-                for (final String white : blacklist)
-                {
-                    if (name.startsWith(white))
-                    {
-                        throw new SecurityException(name + " is not whitelisted as deserialisable,
prevented before loading.");
+                throw new SecurityException(name + " is not whitelisted as deserialisable,
prevented before loading.");
+            }
+            return name;
+        }
+
+        private static String[] toArray(final String property)
+        {
+            return property == null ? null : property.split(" *, *");
+        }
+
+        private static boolean contains(final String[] list, String name)
+        {
+            if (list != null) {
+                for (final String white : list) {
+                    if (name.startsWith(white)) {
+                        return true;
                     }
                 }
             }
-            return name;
+            return false;
         }
     }
 }



Mime
View raw message