Repository: tomee Updated Branches: refs/heads/tomee-1.7.x 14517a788 -> f6130e2c1
backporting blacklisting of unserialization of ava.lang.Process* and alignment of tomee.serialization.class.*list on server and client sides in 1.7.x branch Project: http://git-wip-us.apache.org/repos/asf/tomee/repo Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/6e8147e9 Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/6e8147e9 Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/6e8147e9 Branch: refs/heads/tomee-1.7.x Commit: 6e8147e9fe47028aef6f2e11f2ed7fa355a502d7 Parents: 14517a7 Author: Romain Manni-Bucau <rmann...@gmail.com> Authored: Tue Dec 15 11:15:59 2015 +0100 Committer: Romain Manni-Bucau <rmann...@gmail.com> Committed: Tue Dec 15 11:15:59 2015 +0100 ---------------------------------------------------------------------- .../core/rmi/BlacklistClassResolver.java | 17 ++++++++-------- .../openejb/client/EjbObjectInputStream.java | 21 +++++++++++--------- 2 files changed, 20 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/tomee/blob/6e8147e9/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java ---------------------------------------------------------------------- diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java index 6ce1299..1a07ec8 100644 --- a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java +++ b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java @@ -19,12 +19,11 @@ package org.apache.openejb.core.rmi; import java.io.ObjectStreamClass; public class BlacklistClassResolver { - //TODO - private static final String[] WHITELIST = toArray(System.getProperty("tomee.serialization.class.whitelist")); - //TODO - private static final String[] BLACKLIST = toArray(System.getProperty("tomee.serialization.class.blacklist")); - public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver( - new String[]{"org.codehaus.groovy.runtime.", "org.apache.commons.collections.functors.", "org.apache.xalan"}, - null); + toArray(System.getProperty( + "tomee.serialization.class.blacklist", + "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan,java.lang.Process")), + toArray(System.getProperty("tomee.serialization.class.whitelist"))); private final String[] blacklist; private final String[] whitelist; @@ -35,7 +34,7 @@ public class BlacklistClassResolver { } protected boolean isBlacklisted(final String name) { - return !contains(whitelist, name) && contains(blacklist, name); + return (whitelist != null && !contains(whitelist, name)) || contains(blacklist, name); } public final ObjectStreamClass check(final ObjectStreamClass classDesc) { @@ -50,9 +49,9 @@ public class BlacklistClassResolver { return name; } -// private static String[] toArray(final String property) { -// return property == null ? null : property.split(" *, *"); -// } + private static String[] toArray(final String property) { + return property == null ? null : property.split(" *, *"); + } private static boolean contains(final String[] list, final String name) { if (list != null) { http://git-wip-us.apache.org/repos/asf/tomee/blob/6e8147e9/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java ---------------------------------------------------------------------- diff --git a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java index 4dbf1a3..c1e9eda 100644 --- a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java +++ b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java @@ -26,9 +26,7 @@ import java.lang.reflect.Proxy; * @version $Rev$ $Date$ */ public class EjbObjectInputStream extends ObjectInputStream { - public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver( - new String[]{"org.codehaus.groovy.runtime.", "org.apache.commons.collections.functors.", "org.apache.xalan"}, - null); + public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver(); public EjbObjectInputStream(final InputStream in) throws IOException { super(in); @@ -91,12 +89,17 @@ public class EjbObjectInputStream extends ObjectInputStream { } public static class BlacklistClassResolver { - //TODO- private static final String[] WHITELIST = toArray(System.getProperty("tomee.serialization.class.whitelist")); - //TODO- private static final String[] BLACKLIST = toArray(System.getProperty("tomee.serialization.class.blacklist")); + private static final String[] WHITELIST = toArray(System.getProperty("tomee.serialization.class.whitelist")); + private static final String[] BLACKLIST = toArray(System.getProperty( + "tomee.serialization.class.blacklist", "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan,java.lang.Process")); private final String[] blacklist; private final String[] whitelist; + protected BlacklistClassResolver() { + this(BLACKLIST, WHITELIST); + } + protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) { this.whitelist = whitelist; this.blacklist = blacklist; @@ -113,11 +116,11 @@ public class EjbObjectInputStream extends ObjectInputStream { return name; } -// private static String[] toArray(final String property) { -// return property == null ? null : property.split(" *, *"); -// } + private static String[] toArray(final String property) { + return property == null ? null : property.split(" *, *"); + } - private static boolean contains(final String[] list, final String name) { + private static boolean contains(final String[] list, String name) { if (list != null) { for (final String white : list) { if (name.startsWith(white)) {