This is an automated email from the ASF dual-hosted git repository.
solomax pushed a commit to branch 4.0.x
in repository https://gitbox.apache.org/repos/asf/openmeetings.git
The following commit(s) were added to refs/heads/4.0.x by this push:
new 0e5b4a2 [OPENMEETINGS-1954] xstream is made more secure
0e5b4a2 is described below
commit 0e5b4a20a5d898a48714bf6b5efcb9ad37c4808c
Author: Maxim Solodovnik <[email protected]>
AuthorDate: Sun Oct 28 14:01:20 2018 +0700
[OPENMEETINGS-1954] xstream is made more secure
---
.../apache/openmeetings/backup/converter/WbConverter.java | 13 ++++++++++---
.../openmeetings/web/util/UserDashboardPersister.java | 9 +++++++++
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git
a/openmeetings-install/src/main/java/org/apache/openmeetings/backup/converter/WbConverter.java
b/openmeetings-install/src/main/java/org/apache/openmeetings/backup/converter/WbConverter.java
index 96e9617..e289c54 100644
---
a/openmeetings-install/src/main/java/org/apache/openmeetings/backup/converter/WbConverter.java
+++
b/openmeetings-install/src/main/java/org/apache/openmeetings/backup/converter/WbConverter.java
@@ -52,6 +52,9 @@ import com.github.openjson.JSONArray;
import com.github.openjson.JSONObject;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.XppDriver;
+import com.thoughtworks.xstream.security.NoTypePermission;
+import com.thoughtworks.xstream.security.NullPermission;
+import com.thoughtworks.xstream.security.PrimitiveTypePermission;
public class WbConverter {
private static final Logger log =
Red5LoggerFactory.getLogger(WbConverter.class, getWebAppRootKey());
@@ -306,10 +309,14 @@ public class WbConverter {
File file = new File(OmFileHelper.getUploadWmlDir(), name);
log.debug("filepathComplete: {}", file);
- XStream xStream = new XStream(new XppDriver());
- xStream.setMode(XStream.NO_REFERENCES);
+ XStream xstream = new XStream(new XppDriver());
+ xstream.setMode(XStream.NO_REFERENCES);
+ xstream.addPermission(NoTypePermission.NONE);
+ xstream.addPermission(NullPermission.NULL);
+ xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
+ xstream.allowTypeHierarchy(List.class);
try (InputStream is = new FileInputStream(file); BufferedReader
reader = new BufferedReader(new InputStreamReader(is, UTF_8))) {
- return (List<?>) xStream.fromXML(reader);
+ return (List<?>) xstream.fromXML(reader);
} catch (Exception err) {
log.error("loadWmlFile", err);
}
diff --git
a/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/UserDashboardPersister.java
b/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/UserDashboardPersister.java
index 10ee875..fd2449f 100644
---
a/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/UserDashboardPersister.java
+++
b/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/UserDashboardPersister.java
@@ -29,12 +29,16 @@ import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
+import java.util.ArrayList;
import java.util.Collections;
import org.slf4j.Logger;
import org.wicketstuff.dashboard.Dashboard;
import org.wicketstuff.dashboard.DashboardPersister;
import org.wicketstuff.dashboard.WidgetComparator;
+import com.thoughtworks.xstream.security.NoTypePermission;
+import com.thoughtworks.xstream.security.NullPermission;
+import com.thoughtworks.xstream.security.PrimitiveTypePermission;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver;
@@ -61,6 +65,11 @@ public class UserDashboardPersister implements
DashboardPersister {
xstream = new XStream(new DomDriver(UTF_8.name()));
xstream.setMode(XStream.NO_REFERENCES);
+ xstream.addPermission(NoTypePermission.NONE);
+ xstream.addPermission(NullPermission.NULL);
+
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
+ xstream.allowTypesByWildcard(new String[]
{"org.apache.openmeetings.web.**"});
+ xstream.allowTypeHierarchy(ArrayList.class);
xstream.alias("dashboard", UserDashboard.class);
}
