[1/2] tomee git commit: backporting blacklisting of unserialization of ava.lang.Process* and alignment of tomee.serialization.class.*list on server and client sides in 1.7.x branch

rmannibucau Tue, 15 Dec 2015 02:16:58 -0800

Repository: tomee
Updated Branches:
  refs/heads/tomee-1.7.x 14517a788 -> f6130e2c1



backporting blacklisting of unserialization of ava.lang.Process* and alignment 
of tomee.serialization.class.*list on server and client sides in 1.7.x branch


Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/6e8147e9
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/6e8147e9
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/6e8147e9

Branch: refs/heads/tomee-1.7.x
Commit: 6e8147e9fe47028aef6f2e11f2ed7fa355a502d7
Parents: 14517a7
Author: Romain Manni-Bucau <rmann...@gmail.com>
Authored: Tue Dec 15 11:15:59 2015 +0100
Committer: Romain Manni-Bucau <rmann...@gmail.com>
Committed: Tue Dec 15 11:15:59 2015 +0100

----------------------------------------------------------------------
 .../core/rmi/BlacklistClassResolver.java        | 17 ++++++++--------
 .../openejb/client/EjbObjectInputStream.java    | 21 +++++++++++---------
 2 files changed, 20 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/tomee/blob/6e8147e9/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
----------------------------------------------------------------------
diff --git 
a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
 
b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
index 6ce1299..1a07ec8 100644
--- 
a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
+++ 
b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
@@ -19,12 +19,11 @@ package org.apache.openejb.core.rmi;
 import java.io.ObjectStreamClass;
 
 public class BlacklistClassResolver {
-    //TODO - private static final String[] WHITELIST = 
toArray(System.getProperty("tomee.serialization.class.whitelist"));
-    //TODO - private static final String[] BLACKLIST = 
toArray(System.getProperty("tomee.serialization.class.blacklist"));
-
     public static final BlacklistClassResolver DEFAULT = new 
BlacklistClassResolver(
-            new String[]{"org.codehaus.groovy.runtime.", 
"org.apache.commons.collections.functors.", "org.apache.xalan"},
-            null);
+        toArray(System.getProperty(
+            "tomee.serialization.class.blacklist",
+            
"org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan,java.lang.Process")),
+        toArray(System.getProperty("tomee.serialization.class.whitelist")));
 
     private final String[] blacklist;
     private final String[] whitelist;
@@ -35,7 +34,7 @@ public class BlacklistClassResolver {
     }
 
     protected boolean isBlacklisted(final String name) {
-        return !contains(whitelist, name) && contains(blacklist, name);
+        return (whitelist != null && !contains(whitelist, name)) || 
contains(blacklist, name);
     }
 
     public final ObjectStreamClass check(final ObjectStreamClass classDesc) {
@@ -50,9 +49,9 @@ public class BlacklistClassResolver {
         return name;
     }
 
-//    private static String[] toArray(final String property) {
-//        return property == null ? null : property.split(" *, *");
-//    }
+    private static String[] toArray(final String property) {
+        return property == null ? null : property.split(" *, *");
+    }
 
     private static boolean contains(final String[] list, final String name) {
         if (list != null) {

http://git-wip-us.apache.org/repos/asf/tomee/blob/6e8147e9/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
----------------------------------------------------------------------
diff --git 
a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
 
b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
index 4dbf1a3..c1e9eda 100644
--- 
a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
+++ 
b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java
@@ -26,9 +26,7 @@ import java.lang.reflect.Proxy;
  * @version $Rev$ $Date$
  */
 public class EjbObjectInputStream extends ObjectInputStream {
-    public static final BlacklistClassResolver DEFAULT = new 
BlacklistClassResolver(
-        new String[]{"org.codehaus.groovy.runtime.", 
"org.apache.commons.collections.functors.", "org.apache.xalan"},
-        null);
+    public static final BlacklistClassResolver DEFAULT = new 
BlacklistClassResolver();
 
     public EjbObjectInputStream(final InputStream in) throws IOException {
         super(in);
@@ -91,12 +89,17 @@ public class EjbObjectInputStream extends ObjectInputStream 
{
     }
 
     public static class BlacklistClassResolver {
-        //TODO- private static final String[] WHITELIST = 
toArray(System.getProperty("tomee.serialization.class.whitelist"));
-        //TODO- private static final String[] BLACKLIST = 
toArray(System.getProperty("tomee.serialization.class.blacklist"));
+        private static final String[] WHITELIST = 
toArray(System.getProperty("tomee.serialization.class.whitelist"));
+        private static final String[] BLACKLIST = toArray(System.getProperty(
+            "tomee.serialization.class.blacklist", 
"org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan,java.lang.Process"));
 
         private final String[] blacklist;
         private final String[] whitelist;
 
+        protected BlacklistClassResolver() {
+            this(BLACKLIST, WHITELIST);
+        }
+
         protected BlacklistClassResolver(final String[] blacklist, final 
String[] whitelist) {
             this.whitelist = whitelist;
             this.blacklist = blacklist;
@@ -113,11 +116,11 @@ public class EjbObjectInputStream extends 
ObjectInputStream {
             return name;
         }
 
-//        private static String[] toArray(final String property) {
-//            return property == null ? null : property.split(" *, *");
-//        }
+        private static String[] toArray(final String property) {
+            return property == null ? null : property.split(" *, *");
+        }
 
-        private static boolean contains(final String[] list, final String 
name) {
+        private static boolean contains(final String[] list, String name) {
             if (list != null) {
                 for (final String white : list) {
                     if (name.startsWith(white)) {

[1/2] tomee git commit: backporting blacklisting of unserialization of ava.lang.Process* and alignment of tomee.serialization.class.*list on server and client sides in 1.7.x branch

Reply via email to