"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "httpclient-cache/src/main/java/org/apache/http/impl/client/cache/DefaultHttpCacheEntrySerializer.java" between
httpcomponents-client-4.5.8-src.tar.gz and httpcomponents-client-4.5.9-src.tar.gz

About: HttpComponents is an Apache project responsible for creating and maintaining a toolset of low level Java components focused on HTTP and associated protocols. Java sources.

DefaultHttpCacheEntrySerializer.java  (httpcomponents-client-4.5.8-src):DefaultHttpCacheEntrySerializer.java  (httpcomponents-client-4.5.9-src)
skipping to change at line 33 skipping to change at line 33
* information on the Apache Software Foundation, please see * information on the Apache Software Foundation, please see
* <http://www.apache.org/>. * <http://www.apache.org/>.
* *
*/ */
package org.apache.http.impl.client.cache; package org.apache.http.impl.client.cache;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.ObjectInputStream; import java.io.ObjectInputStream;
import java.io.ObjectOutputStream; import java.io.ObjectOutputStream;
import java.io.ObjectStreamClass;
import java.io.OutputStream; import java.io.OutputStream;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.regex.Pattern;
import org.apache.http.annotation.Contract; import org.apache.http.annotation.Contract;
import org.apache.http.annotation.ThreadingBehavior; import org.apache.http.annotation.ThreadingBehavior;
import org.apache.http.client.cache.HttpCacheEntry; import org.apache.http.client.cache.HttpCacheEntry;
import org.apache.http.client.cache.HttpCacheEntrySerializationException; import org.apache.http.client.cache.HttpCacheEntrySerializationException;
import org.apache.http.client.cache.HttpCacheEntrySerializer; import org.apache.http.client.cache.HttpCacheEntrySerializer;
/** /**
* {@link HttpCacheEntrySerializer} implementation that uses the default (native ) * {@link HttpCacheEntrySerializer} implementation that uses the default (native )
* serialization. * serialization.
* *
* @see java.io.Serializable * @see java.io.Serializable
* *
* @since 4.1 * @since 4.1
*/ */
@Contract(threading = ThreadingBehavior.IMMUTABLE) @Contract(threading = ThreadingBehavior.IMMUTABLE)
public class DefaultHttpCacheEntrySerializer implements HttpCacheEntrySerializer { public class DefaultHttpCacheEntrySerializer implements HttpCacheEntrySerializer {
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmo
difiableList(Arrays.asList(
Pattern.compile("^(\\[L)?org\\.apache\\.http\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
Pattern.compile("^\\[B$")));
private final List<Pattern> allowedClassPatterns;
DefaultHttpCacheEntrySerializer(final Pattern... allowedClassPatterns) {
this.allowedClassPatterns = Collections.unmodifiableList(Arrays.asList(a
llowedClassPatterns));
}
public DefaultHttpCacheEntrySerializer() {
this.allowedClassPatterns = ALLOWED_CLASS_PATTERNS;
}
@Override @Override
public void writeTo(final HttpCacheEntry cacheEntry, final OutputStream os) throws IOException { public void writeTo(final HttpCacheEntry cacheEntry, final OutputStream os) throws IOException {
final ObjectOutputStream oos = new ObjectOutputStream(os); final ObjectOutputStream oos = new ObjectOutputStream(os);
try { try {
oos.writeObject(cacheEntry); oos.writeObject(cacheEntry);
} finally { } finally {
oos.close(); oos.close();
} }
} }
@Override @Override
public HttpCacheEntry readFrom(final InputStream is) throws IOException { public HttpCacheEntry readFrom(final InputStream is) throws IOException {
final ObjectInputStream ois = new ObjectInputStream(is); final ObjectInputStream ois = new RestrictedObjectInputStream(is, allowe dClassPatterns);
try { try {
return (HttpCacheEntry) ois.readObject(); return (HttpCacheEntry) ois.readObject();
} catch (final ClassNotFoundException ex) { } catch (final ClassNotFoundException ex) {
throw new HttpCacheEntrySerializationException("Class not found: " + ex.getMessage(), ex); throw new HttpCacheEntrySerializationException("Class not found: " + ex.getMessage(), ex);
} finally { } finally {
ois.close(); ois.close();
} }
} }
private static class RestrictedObjectInputStream extends ObjectInputStream {
private final List<Pattern> allowedClassPatterns;
private RestrictedObjectInputStream(final InputStream in, final List<Pat
tern> patterns) throws IOException {
super(in);
this.allowedClassPatterns = patterns;
}
@Override
protected Class<?> resolveClass(final ObjectStreamClass desc) throws IOE
xception, ClassNotFoundException {
if (isProhibited(desc)) {
throw new HttpCacheEntrySerializationException(String.format(
"Class %s is not allowed for deserialization", desc.getN
ame()));
}
return super.resolveClass(desc);
}
private boolean isProhibited(final ObjectStreamClass desc) {
for (final Pattern pattern : allowedClassPatterns) {
if (pattern.matcher(desc.getName()).matches()) {
return false;
}
}
return true;
}
}
} }
 End of changes. 5 change blocks. 
1 lines changed or deleted 55 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)