Repository: tomee Updated Branches: refs/heads/master 5689b25ac -> 58cdbbef9
switching tomee.serialization.class.blacklist defaults to * in our packaged distributions Project: http://git-wip-us.apache.org/repos/asf/tomee/repo Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/58cdbbef Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/58cdbbef Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/58cdbbef Branch: refs/heads/master Commit: 58cdbbef9c77ab2b44870f9d606593b49cde76d9 Parents: 5689b25 Author: Romain manni-Bucau <rmannibu...@gmail.com> Authored: Tue Mar 1 16:13:38 2016 +0100 Committer: Romain manni-Bucau <rmannibu...@gmail.com> Committed: Tue Mar 1 16:13:38 2016 +0100 ---------------------------------------------------------------------- .../java/org/apache/openejb/arquillian/common/Setup.java | 5 +++++ .../openejb/arquillian/common/TomEEConfiguration.java | 9 +++++++++ .../arquillian/embedded/EmbeddedTomEEConfiguration.java | 10 +++++++++- .../apache/openejb/core/rmi/BlacklistClassResolver.java | 2 +- .../openejb/core/rmi/BlacklistClassResolverTest.java | 8 ++++++++ .../org/apache/openejb/client/EjbObjectInputStream.java | 2 +- .../main/java/org/apache/tomee/installer/Installer.java | 8 ++++++++ 7 files changed, 41 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/Setup.java ---------------------------------------------------------------------- diff --git a/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/Setup.java b/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/Setup.java index eab496c..7db26ba 100644 --- a/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/Setup.java +++ b/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/Setup.java @@ -303,6 +303,11 @@ public class Setup { properties.put("openejb.session.manager", "org.apache.tomee.catalina.session.QuickSessionManager"); } + if (configuration.isUnsafeEjbd() && "*".equals(properties.getProperty("tomee.serialization.class.blacklist", "-").trim())) { + properties.remove("tomee.serialization.class.blacklist"); + properties.put("tomee.serialization.class.whitelist", "*"); + } + try { IO.writeProperties(file, properties); } catch (final IOException e) { http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/TomEEConfiguration.java ---------------------------------------------------------------------- diff --git a/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/TomEEConfiguration.java b/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/TomEEConfiguration.java index 230261c..265cb35 100644 --- a/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/TomEEConfiguration.java +++ b/arquillian/arquillian-tomee-common/src/main/java/org/apache/openejb/arquillian/common/TomEEConfiguration.java @@ -45,6 +45,7 @@ public class TomEEConfiguration implements ContainerConfiguration { protected String portRange = ""; // only used if port < 0, empty means whatever, can be "1024-65535" protected String preloadClasses; // just a client classloader.loadClass(), value is comma separated qualified names. Useful with maven resolver for instance protected boolean quickSession = true; + protected boolean unsafeEjbd = true; protected boolean unpackWars = true; protected String properties = ""; @@ -53,6 +54,14 @@ public class TomEEConfiguration implements ContainerConfiguration { protected boolean singleDumpByArchiveName; protected Collection<String> singleDeploymentByArchiveName = Collections.emptyList(); + public boolean isUnsafeEjbd() { + return unsafeEjbd; + } + + public void setUnsafeEjbd(final boolean unsafeEjbd) { + this.unsafeEjbd = unsafeEjbd; + } + public boolean isUnpackWars() { return unpackWars; } http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/arquillian/arquillian-tomee-embedded/src/main/java/org/apache/openejb/arquillian/embedded/EmbeddedTomEEConfiguration.java ---------------------------------------------------------------------- diff --git a/arquillian/arquillian-tomee-embedded/src/main/java/org/apache/openejb/arquillian/embedded/EmbeddedTomEEConfiguration.java b/arquillian/arquillian-tomee-embedded/src/main/java/org/apache/openejb/arquillian/embedded/EmbeddedTomEEConfiguration.java index 0d18097..ea7ea42 100644 --- a/arquillian/arquillian-tomee-embedded/src/main/java/org/apache/openejb/arquillian/embedded/EmbeddedTomEEConfiguration.java +++ b/arquillian/arquillian-tomee-embedded/src/main/java/org/apache/openejb/arquillian/embedded/EmbeddedTomEEConfiguration.java @@ -172,7 +172,15 @@ public class EmbeddedTomEEConfiguration extends TomEEConfiguration { return new Properties(); } - return toProperties(properties); + final Properties properties = toProperties(this.properties); + if (properties != null && isUnsafeEjbd() && + "*".equals(properties.getProperty("tomee.serialization.class.blacklist", "-").trim())) { + + properties.remove("tomee.serialization.class.blacklist"); + properties.put("tomee.serialization.class.whitelist", "*"); + } + + return properties; } private static Properties toProperties(final String value) { http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java ---------------------------------------------------------------------- diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java index 1a07ec8..da34eec 100644 --- a/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java +++ b/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java @@ -56,7 +56,7 @@ public class BlacklistClassResolver { private static boolean contains(final String[] list, final String name) { if (list != null) { for (final String white : list) { - if (name.startsWith(white)) { + if ("*".equals(white) || name.startsWith(white)) { return true; } } http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java ---------------------------------------------------------------------- diff --git a/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java b/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java index 1174be2..af1e742 100644 --- a/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java +++ b/container/openejb-core/src/test/java/org/apache/openejb/core/rmi/BlacklistClassResolverTest.java @@ -38,4 +38,12 @@ public class BlacklistClassResolverTest { public void whiteList() { assertFalse(new BlacklistClassResolver(null, new String[] { "org.apache.xalan" }).isBlacklisted("org.apache.xalan.Foo")); } + + @Test + public void wildcard() { + final BlacklistClassResolver classResolver = new BlacklistClassResolver(new String[]{"*"}, new String[] {"white", "com.white"}); + assertTrue(classResolver.isBlacklisted("white.Foo")); + assertTrue(classResolver.isBlacklisted("com.white.test")); + assertTrue(classResolver.isBlacklisted("other.test")); + } } http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java ---------------------------------------------------------------------- diff --git a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java index 9ce9291..7e7155b 100644 --- a/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java +++ b/server/openejb-client/src/main/java/org/apache/openejb/client/EjbObjectInputStream.java @@ -123,7 +123,7 @@ public class EjbObjectInputStream extends ObjectInputStream { private static boolean contains(final String[] list, String name) { if (list != null) { for (final String white : list) { - if (name.startsWith(white)) { + if ("*".equals(white) || name.startsWith(white)) { return true; } } http://git-wip-us.apache.org/repos/asf/tomee/blob/58cdbbef/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java ---------------------------------------------------------------------- diff --git a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java index 621c82b..4c76e4e 100644 --- a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java +++ b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java @@ -704,6 +704,14 @@ public class Installer implements InstallerInterface { systemPropertiesWriter.write("# for more information please see http://tomee.apache.org/properties-listing.html\n"); systemPropertiesWriter.write("\n"); + systemPropertiesWriter.write( + "# allowed packages to be deserialized, by security we denied all by default, " + + "tune tomee.serialization.class.whitelist packages to change it\n"); + systemPropertiesWriter.write("# tomee.remote.support = true\n"); + systemPropertiesWriter.write("tomee.serialization.class.blacklist = *\n"); + systemPropertiesWriter.write("# tomee.serialization.class.whitelist = my.package\n"); + + systemPropertiesWriter.write("\n"); systemPropertiesWriter.write("# openejb.check.classloader = false\n"); systemPropertiesWriter.write("# openejb.check.classloader.verbose = false\n");