[
https://issues.apache.org/jira/browse/HTTPCLIENT-2023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16968975#comment-16968975
]
Olof Larsson commented on HTTPCLIENT-2023:
------------------------------------------
[~olegk] [~ggregory]
Before release, perhaps we should add some unit tests :)
[https://github.com/apache/httpcomponents-client/pull/171]
> Whitelist Char Array in DefaultHttpCacheEntrySerializer
> -------------------------------------------------------
>
> Key: HTTPCLIENT-2023
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2023
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpCache
> Affects Versions: 4.5.10
> Reporter: Olof Larsson
> Priority: Major
> Fix For: 4.5.11, 5.0 Beta7
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> *Intro*
> Please add char array to ALLOWED_CLASS_PATTERNS in
> DefaultHttpCacheEntrySerializer.
> *Further Explanation*
> The current ALLOWED_CLASS_PATTERNS looks like this:
> {code:java}
> private static final List<Pattern> ALLOWED_CLASS_PATTERNS =
> Collections.unmodifiableList(Arrays.asList(
> Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
> Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
> Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
> Pattern.compile("^\\[B$")));
> {code}
> As we can se byte arrays are allowed (at the end) but not char arrays. This
> currently blocks me from upgrading from 4.5.8 to 4.5.10 because the
> HttpCacheEntry may contain char arrays.
> The field "HttpCacheEntry.responseHeaders.headers" can be of the implementing
> type "BufferedHeader" which contains a "private final CharArrayBuffer
> buffer;" field, which contains "private char[] buffer;".
> *Proposed Solution*
> Maybe it would make sense to *whitelist all arrays of primitives* (as
> opposed to just arrays of bytes)? That way future code changes does not risk
> breaking the DefaultHttpCacheEntrySerializer?
> The code might look something like this?
> {code:java}
> private static final List<Pattern> ALLOWED_CLASS_PATTERNS =
> Collections.unmodifiableList(Arrays.asList(
> Pattern.compile("^(?:\\[+L)?org\\.apache\\.http\\..*$"),
> Pattern.compile("^(?:\\[+L)?java\\.util\\..*$"),
> Pattern.compile("^(?:\\[+L)?java\\.lang\\..*$"),
> Pattern.compile("^\\[+Z$"), // boolean
> Pattern.compile("^\\[+B$"), // byte
> Pattern.compile("^\\[+C$"), // char
> Pattern.compile("^\\[+D$"), // double
> Pattern.compile("^\\[+F$"), // float
> Pattern.compile("^\\[+I$"), // int
> Pattern.compile("^\\[+J$"), // long
> Pattern.compile("^\\[+S$") // short
> ));
> {code}
> Note that I removed groups where unnecessary (to avoid capturing) and made
> the required group non capturing "?:" as well as added support for arrays of
> arrays of arrays.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
