Repository: logging-log4j-tools Updated Branches: refs/heads/master e75bafd39 -> 9b93b3fb5
LOG4J2-2163 Use FilteredObjectInputStream from log4j-api Project: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/repo Commit: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/commit/9b93b3fb Tree: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/tree/9b93b3fb Diff: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/diff/9b93b3fb Branch: refs/heads/master Commit: 9b93b3fb56a3dde1a88f962bd4658d19f520ee2e Parents: e75bafd Author: Mikael Ståldal <[email protected]> Authored: Fri Dec 29 12:19:53 2017 +0100 Committer: Mikael Ståldal <[email protected]> Committed: Fri Dec 29 12:19:53 2017 +0100 ---------------------------------------------------------------------- .../log4j/server/FilteredObjectInputStream.java | 67 -------------------- .../server/ObjectInputStreamLogEventBridge.java | 1 + 2 files changed, 1 insertion(+), 67 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/blob/9b93b3fb/log4j-server/src/main/java/org/apache/logging/log4j/server/FilteredObjectInputStream.java ---------------------------------------------------------------------- diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/FilteredObjectInputStream.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/FilteredObjectInputStream.java deleted file mode 100644 index c5bf92f..0000000 --- a/log4j-server/src/main/java/org/apache/logging/log4j/server/FilteredObjectInputStream.java +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache license, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the license for the specific language governing permissions and - * limitations under the license. - */ -package org.apache.logging.log4j.server; - -import java.io.IOException; -import java.io.InputStream; -import java.io.InvalidObjectException; -import java.io.ObjectInputStream; -import java.io.ObjectStreamClass; -import java.util.Arrays; -import java.util.Collection; -import java.util.List; - -/** - * Extended ObjectInputStream that only allows certain classes to be deserialized. - * - * @since 2.8.2 - */ -public class FilteredObjectInputStream extends ObjectInputStream { - - private static final List<String> REQUIRED_JAVA_CLASSES = Arrays.asList( - // for StandardLevel - "java.lang.Enum", - // for location information - "java.lang.StackTraceElement", - // for Message delegate - "java.rmi.MarshalledObject", - "[B" - ); - - private final Collection<String> allowedClasses; - - public FilteredObjectInputStream(final InputStream in, final Collection<String> allowedClasses) throws IOException { - super(in); - this.allowedClasses = allowedClasses; - } - - @Override - protected Class<?> resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException { - String name = desc.getName(); - if (!(isAllowedByDefault(name) || allowedClasses.contains(name))) { - throw new InvalidObjectException("Class is not allowed for deserialization: " + name); - } - return super.resolveClass(desc); - } - - private static boolean isAllowedByDefault(final String name) { - return name.startsWith("org.apache.logging.log4j.") || - name.startsWith("[Lorg.apache.logging.log4j.") || - REQUIRED_JAVA_CLASSES.contains(name); - } - -} http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/blob/9b93b3fb/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java ---------------------------------------------------------------------- diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java index 0f4a06f..428ab83 100644 --- a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java +++ b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java @@ -24,6 +24,7 @@ import java.util.List; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.LogEventListener; +import org.apache.logging.log4j.util.FilteredObjectInputStream; /** * Reads and logs serialized {@link LogEvent} objects from an {@link ObjectInputStream}.
