Package org.apache.log4j.net
Class HardenedObjectInputStream
- java.lang.Object
-
- java.io.InputStream
-
- java.io.ObjectInputStream
-
- org.apache.log4j.net.HardenedObjectInputStream
-
- All Implemented Interfaces:
java.io.Closeable,java.io.DataInput,java.io.ObjectInput,java.io.ObjectStreamConstants,java.lang.AutoCloseable
- Direct Known Subclasses:
HardenedLoggingEventInputStream
public class HardenedObjectInputStream extends java.io.ObjectInputStreamHardenedObjectInputStream restricts the set of classes that can be deserialized to a set of explicitly whitelisted classes. This prevents certain type of attacks from being successful.It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.
- Since:
- 1.2.18
=== Copied from the logback project with permission ==
-
-
Field Summary
Fields Modifier and Type Field Description (package private) static java.lang.StringARRAY_CLASS_PREFIX(package private) static java.lang.String[]JAVA_PACKAGES(package private) java.util.List<java.lang.String>whitelistedClassNames-
Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
-
-
Constructor Summary
Constructors Constructor Description HardenedObjectInputStream(java.io.InputStream in, java.lang.String[] whilelist)HardenedObjectInputStream(java.io.InputStream in, java.util.List<java.lang.String> whitelist)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected voidaddToWhitelist(java.util.List<java.lang.String> additionalAuthorizedClasses)private booleanisWhitelisted(java.lang.String incomingClassName)protected java.lang.Class<?>resolveClass(java.io.ObjectStreamClass anObjectStreamClass)-
Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes
-
-
-
-
Field Detail
-
ARRAY_CLASS_PREFIX
static final java.lang.String ARRAY_CLASS_PREFIX
- See Also:
- Constant Field Values
-
whitelistedClassNames
final java.util.List<java.lang.String> whitelistedClassNames
-
JAVA_PACKAGES
static final java.lang.String[] JAVA_PACKAGES
-
-
Constructor Detail
-
HardenedObjectInputStream
public HardenedObjectInputStream(java.io.InputStream in, java.lang.String[] whilelist) throws java.io.IOException- Throws:
java.io.IOException
-
HardenedObjectInputStream
public HardenedObjectInputStream(java.io.InputStream in, java.util.List<java.lang.String> whitelist) throws java.io.IOException- Throws:
java.io.IOException
-
-
Method Detail
-
resolveClass
protected java.lang.Class<?> resolveClass(java.io.ObjectStreamClass anObjectStreamClass) throws java.io.IOException, java.lang.ClassNotFoundException- Overrides:
resolveClassin classjava.io.ObjectInputStream- Throws:
java.io.IOExceptionjava.lang.ClassNotFoundException
-
isWhitelisted
private boolean isWhitelisted(java.lang.String incomingClassName)
-
addToWhitelist
protected void addToWhitelist(java.util.List<java.lang.String> additionalAuthorizedClasses)
-
-