svn commit: r1716850 - /commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java

Fri, 27 Nov 2015 03:49:36 -0800 

Author: rmannibucau
Date: Fri Nov 27 11:49:19 2015
New Revision: 1716850

URL: http://svn.apache.org/viewvc?rev=1716850&view=rev
Log:
JCS-155 fixing potential deserialization issue

Modified:
    
commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java

Modified: 
commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java
URL: 
http://svn.apache.org/viewvc/commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java?rev=1716850&r1=1716849&r2=1716850&view=diff
==============================================================================
--- 
commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java
 (original)
+++ 
commons/proper/jcs/trunk/commons-jcs-core/src/main/java/org/apache/commons/jcs/io/ObjectInputStreamClassLoaderAware.java
 Fri Nov 27 11:49:19 2015
@@ -26,6 +26,10 @@ import java.lang.reflect.Proxy;
 
 public class ObjectInputStreamClassLoaderAware extends ObjectInputStream
 {
+    private static final BlacklistClassResolver BLACKLIST_CLASSES = new 
BlacklistClassResolver(System.getProperty(
+        "jcs.BlacklistClassResolver",
+        
"org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split("
 *, *"));
+
     private final ClassLoader classLoader;
 
     public ObjectInputStreamClassLoaderAware(final InputStream in, final 
ClassLoader classLoader) throws IOException
@@ -37,7 +41,7 @@ public class ObjectInputStreamClassLoade
     @Override
     protected Class<?> resolveClass(final ObjectStreamClass desc) throws 
ClassNotFoundException
     {
-        return Class.forName(desc.getName(), false, classLoader);
+        return Class.forName(BLACKLIST_CLASSES.check(desc.getName()), false, 
classLoader);
     }
 
     @Override
@@ -59,4 +63,22 @@ public class ObjectInputStreamClassLoade
         }
     }
 
+    private static final class BlacklistClassResolver {
+        private final String[] blacklist;
+
+        protected BlacklistClassResolver(final String[] blacklist) {
+            this.blacklist = blacklist;
+        }
+
+        public final String check(final String name) {
+            if (blacklist != null) {
+                for (final String white : blacklist) {
+                    if (name.startsWith(white)) {
+                        throw new SecurityException(name + " is not 
whitelisted as deserialisable, prevented before loading.");
+                    }
+                }
+            }
+            return name;
+        }
+    }
 }

Reply via email to