[
https://issues.apache.org/jira/browse/HTTPCLIENT-2023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Olof Larsson updated HTTPCLIENT-2023:
-------------------------------------
Description:
*Intro*
Please add char array to ALLOWED_CLASS_PATTERNS in
DefaultHttpCacheEntrySerializer.
*Further Explanation*
The current ALLOWED_CLASS_PATTERNS looks like this:
{code:java}
private static final List<Pattern> ALLOWED_CLASS_PATTERNS =
Collections.unmodifiableList(Arrays.asList(
Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
Pattern.compile("^\\[B$")));
{code}
As we can se byte arrays are allowed (at the end) but not char arrays. This
currently blocks me from upgrading from 4.5.8 to 4.5.10 because the
HttpCacheEntry may contain char arrays.
The field "HttpCacheEntry.responseHeaders.headers" can be of the implementing
type "BufferedHeader" which contains a "private final CharArrayBuffer buffer;"
field, which contains "private char[] buffer;".
*Proposed Solution*
Maybe it would make sense to *whitelist all arrays of primitives* (as opposed
to just arrays of bytes)? That way future code changes does not risk breaking
the DefaultHttpCacheEntrySerializer?
The code might look something like this?
{code:java}
private static final List<Pattern> ALLOWED_CLASS_PATTERNS =
Collections.unmodifiableList(Arrays.asList(
Pattern.compile("^(?:\\[+L)?org\\.apache\\.http\\..*$"),
Pattern.compile("^(?:\\[+L)?java\\.util\\..*$"),
Pattern.compile("^(?:\\[+L)?java\\.lang\\..*$"),
Pattern.compile("^\\[+Z$"), // boolean
Pattern.compile("^\\[+B$"), // byte
Pattern.compile("^\\[+C$"), // char
Pattern.compile("^\\[+D$"), // double
Pattern.compile("^\\[+F$"), // float
Pattern.compile("^\\[+I$"), // int
Pattern.compile("^\\[+J$"), // long
Pattern.compile("^\\[+S$") // short
));
{code}
Note that I removed groups where unnecessary (to avoid capturing) and made the
required group non capturing (?:) as well as added support for arrays of arrays
of arrays as well.
was:
*Intro*
Please add char array to ALLOWED_CLASS_PATTERNS in
DefaultHttpCacheEntrySerializer.
*Further Explanation*
The current ALLOWED_CLASS_PATTERNS looks like this:
{code:java}
private static final List<Pattern> ALLOWED_CLASS_PATTERNS =
Collections.unmodifiableList(Arrays.asList(
Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
Pattern.compile("^\\[B$")));
{code}
As we can se byte arrays are allowed (at the end) but not char arrays. This
currently blocks me from upgrading from 4.5.8 to 4.5.10 because the
HttpCacheEntry may contain char arrays.
The field "HttpCacheEntry.responseHeaders.headers" can be of the implementing
type "BufferedHeader" which contains a "private final CharArrayBuffer buffer;"
field, which contains "private char[] buffer;".
*Proposed Solution*
Maybe it would make sense to *whitelist all arrays of primitives* (as opposed
to just arrays of bytes)? That way future code changes does not risk breaking
the DefaultHttpCacheEntrySerializer?
> Whitelist Char Array in DefaultHttpCacheEntrySerializer
> -------------------------------------------------------
>
> Key: HTTPCLIENT-2023
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2023
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpCache
> Affects Versions: 4.5.10
> Reporter: Olof Larsson
> Priority: Major
>
> *Intro*
> Please add char array to ALLOWED_CLASS_PATTERNS in
> DefaultHttpCacheEntrySerializer.
> *Further Explanation*
> The current ALLOWED_CLASS_PATTERNS looks like this:
> {code:java}
> private static final List<Pattern> ALLOWED_CLASS_PATTERNS =
> Collections.unmodifiableList(Arrays.asList(
> Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
> Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
> Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
> Pattern.compile("^\\[B$")));
> {code}
> As we can se byte arrays are allowed (at the end) but not char arrays. This
> currently blocks me from upgrading from 4.5.8 to 4.5.10 because the
> HttpCacheEntry may contain char arrays.
> The field "HttpCacheEntry.responseHeaders.headers" can be of the implementing
> type "BufferedHeader" which contains a "private final CharArrayBuffer
> buffer;" field, which contains "private char[] buffer;".
> *Proposed Solution*
> Maybe it would make sense to *whitelist all arrays of primitives* (as
> opposed to just arrays of bytes)? That way future code changes does not risk
> breaking the DefaultHttpCacheEntrySerializer?
> The code might look something like this?
> {code:java}
> private static final List<Pattern> ALLOWED_CLASS_PATTERNS =
> Collections.unmodifiableList(Arrays.asList(
> Pattern.compile("^(?:\\[+L)?org\\.apache\\.http\\..*$"),
> Pattern.compile("^(?:\\[+L)?java\\.util\\..*$"),
> Pattern.compile("^(?:\\[+L)?java\\.lang\\..*$"),
> Pattern.compile("^\\[+Z$"), // boolean
> Pattern.compile("^\\[+B$"), // byte
> Pattern.compile("^\\[+C$"), // char
> Pattern.compile("^\\[+D$"), // double
> Pattern.compile("^\\[+F$"), // float
> Pattern.compile("^\\[+I$"), // int
> Pattern.compile("^\\[+J$"), // long
> Pattern.compile("^\\[+S$") // short
> ));
> {code}
> Note that I removed groups where unnecessary (to avoid capturing) and made
> the required group non capturing (?:) as well as added support for arrays of
> arrays of arrays as well.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
