Repository: logging-log4j-tools Updated Branches: refs/heads/master 53ef71b11 -> 283c99d16
LOG4J2-1851 Move server components from core to new server module Project: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/repo Commit: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/commit/283c99d1 Tree: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/tree/283c99d1 Diff: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/diff/283c99d1 Branch: refs/heads/master Commit: 283c99d164e5ad39e2e047dcfab1eb1eba6d73cd Parents: 53ef71b Author: Mikael Ståldal <mikael.stal...@magine.com> Authored: Fri Apr 21 15:24:47 2017 +0200 Committer: Mikael Ståldal <mikael.stal...@magine.com> Committed: Fri Apr 21 15:24:47 2017 +0200 ---------------------------------------------------------------------- .../log4j/server/FilteredObjectInputStream.java | 67 ++++++++++++++++++++ .../server/ObjectInputStreamLogEventBridge.java | 1 - 2 files changed, 67 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/blob/283c99d1/log4j-server/src/main/java/org/apache/logging/log4j/server/FilteredObjectInputStream.java ---------------------------------------------------------------------- diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/FilteredObjectInputStream.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/FilteredObjectInputStream.java new file mode 100644 index 0000000..c5bf92f --- /dev/null +++ b/log4j-server/src/main/java/org/apache/logging/log4j/server/FilteredObjectInputStream.java @@ -0,0 +1,67 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache license, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the license for the specific language governing permissions and + * limitations under the license. + */ +package org.apache.logging.log4j.server; + +import java.io.IOException; +import java.io.InputStream; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; +import java.io.ObjectStreamClass; +import java.util.Arrays; +import java.util.Collection; +import java.util.List; + +/** + * Extended ObjectInputStream that only allows certain classes to be deserialized. + * + * @since 2.8.2 + */ +public class FilteredObjectInputStream extends ObjectInputStream { + + private static final List<String> REQUIRED_JAVA_CLASSES = Arrays.asList( + // for StandardLevel + "java.lang.Enum", + // for location information + "java.lang.StackTraceElement", + // for Message delegate + "java.rmi.MarshalledObject", + "[B" + ); + + private final Collection<String> allowedClasses; + + public FilteredObjectInputStream(final InputStream in, final Collection<String> allowedClasses) throws IOException { + super(in); + this.allowedClasses = allowedClasses; + } + + @Override + protected Class<?> resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException { + String name = desc.getName(); + if (!(isAllowedByDefault(name) || allowedClasses.contains(name))) { + throw new InvalidObjectException("Class is not allowed for deserialization: " + name); + } + return super.resolveClass(desc); + } + + private static boolean isAllowedByDefault(final String name) { + return name.startsWith("org.apache.logging.log4j.") || + name.startsWith("[Lorg.apache.logging.log4j.") || + REQUIRED_JAVA_CLASSES.contains(name); + } + +} http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/blob/283c99d1/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java ---------------------------------------------------------------------- diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java index ddd2e26..0f4a06f 100644 --- a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java +++ b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java @@ -24,7 +24,6 @@ import java.util.List; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.LogEventListener; -import org.apache.logging.log4j.core.util.FilteredObjectInputStream; /** * Reads and logs serialized {@link LogEvent} objects from an {@link ObjectInputStream}.
