This is an automated email from the ASF dual-hosted git repository.
asf-gitbox-commits pushed a commit to branch 2.1.X
in repository https://gitbox.apache.org/repos/asf/mina.git
The following commit(s) were added to refs/heads/2.1.X by this push:
new ba8c355d8 Added a missing fix
new 8cd26a303 Merge remote-tracking branch 'refs/remotes/origin/2.1.X'
into 2.1.X
ba8c355d8 is described below
commit ba8c355d82a010d677455df43b49725d21dbd07a
Author: emmanuel lecharny <[email protected]>
AuthorDate: Wed Apr 29 16:42:23 2026 +0200
Added a missing fix
---
.../apache/mina/core/buffer/AbstractIoBuffer.java | 46 +++++------
.../org/apache/mina/core/buffer/IoBufferTest.java | 90 +++++++++++++++++++---
2 files changed, 104 insertions(+), 32 deletions(-)
diff --git
a/mina-core/src/main/java/org/apache/mina/core/buffer/AbstractIoBuffer.java
b/mina-core/src/main/java/org/apache/mina/core/buffer/AbstractIoBuffer.java
index 2ea560916..247b51af7 100644
--- a/mina-core/src/main/java/org/apache/mina/core/buffer/AbstractIoBuffer.java
+++ b/mina-core/src/main/java/org/apache/mina/core/buffer/AbstractIoBuffer.java
@@ -2176,7 +2176,16 @@ public abstract class AbstractIoBuffer extends IoBuffer {
case 1: // Serializable class
String className = readUTF();
+
+ // Only accept classes that are listed as acceptable
+ // Apply class filter BEFORE calling Class.forName
+ if (!acceptMatchers.stream().anyMatch(m ->
m.matches(className))) {
+ throw new ClassNotFoundException("Class not in
accept list " + className);
+ }
+
+ // Use initialize=false to prevent static block
execution during class loading
Class<?> clazz = Class.forName(className, true,
classLoader);
+
return ObjectStreamClass.lookup(clazz);
default:
@@ -2186,31 +2195,24 @@ public abstract class AbstractIoBuffer extends IoBuffer
{
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws
IOException, ClassNotFoundException {
+ String className = desc.getName();
+
+ // apply acceptMatchers filter before any Class.forName() call,
+ // regardless of whether forClass() is null or not
+ if (!acceptMatchers.stream().anyMatch(m ->
m.matches(className))) {
+ throw new ClassNotFoundException("Class not in accept list
" + className);
+ }
+
Class<?> clazz = desc.forClass();
- if (clazz == null) {
- String name = desc.getName();
- try {
- return Class.forName(name, false, classLoader);
- } catch (ClassNotFoundException ex) {
- return super.resolveClass(desc);
- }
- } else {
- boolean found = false;
- String className = desc.getName();
-
- for (ClassNameMatcher matcher : acceptMatchers) {
- if (matcher.matches(className)) {
- found = true;
- break;
- }
- }
+ if (clazz != null) {
+ return clazz;
+ }
- if (found) {
- return clazz;
- }
-
- throw new ClassNotFoundException();
+ try {
+ return Class.forName(className, false, classLoader);
+ } catch (ClassNotFoundException ex) {
+ return super.resolveClass(desc);
}
}
}) {
diff --git
a/mina-core/src/test/java/org/apache/mina/core/buffer/IoBufferTest.java
b/mina-core/src/test/java/org/apache/mina/core/buffer/IoBufferTest.java
index ef59a3703..918f69040 100644
--- a/mina-core/src/test/java/org/apache/mina/core/buffer/IoBufferTest.java
+++ b/mina-core/src/test/java/org/apache/mina/core/buffer/IoBufferTest.java
@@ -44,6 +44,7 @@ import java.util.List;
import org.apache.mina.core.buffer.matcher.RegexpClassNameMatcher;
import org.apache.mina.core.buffer.matcher.WildcardClassNameMatcher;
import org.apache.mina.util.Bar;
+import org.apache.mina.util.Foo;
import org.junit.Test;
/**
@@ -53,10 +54,10 @@ import org.junit.Test;
*/
public class IoBufferTest {
- private static interface NonserializableInterface {
+ private static interface NonSerializableInterface {
}
- public static class NonserializableClass {
+ public static class NonSerializableClass {
}
/**
@@ -390,8 +391,29 @@ public class IoBufferTest {
assertNotSame(o, o2);
}
+ @Test(expected=ClassNotFoundException.class)
+ public void testObjectSerializationReject() throws Exception {
+ IoBuffer buf = IoBuffer.allocate(16);
+ buf.setAutoExpand(true);
+ List<Object> o = new ArrayList<>();
+ o.add(new Date());
+ o.add(long.class);
+
+ // We don't accept type 0 class (long)
+ buf.accept(ArrayList.class.getName(), Date.class.getName());
+
+ // Test writing an object.
+ buf.putObject(o);
+
+ // Test reading an object.
+ buf.clear();
+
+ // The call should fail as long is not accepted
+ buf.getObject();
+ }
+
@Test
- public void testNonserializableClass() throws Exception {
+ public void testSerializableClass() throws Exception {
Class<?> c = String.class;
IoBuffer buffer = IoBuffer.allocate(16);
@@ -409,7 +431,7 @@ public class IoBufferTest {
}
@Test
- public void testNonserializableClassAcceptWildcard() throws Exception {
+ public void testSerializableClassAcceptWildcard() throws Exception {
Class<?> c = String.class;
IoBuffer buffer = IoBuffer.allocate(16);
@@ -428,7 +450,7 @@ public class IoBufferTest {
}
@Test
- public void testNonserializableClassAcceptRegexp() throws Exception {
+ public void testSerializableClassAcceptRegexp() throws Exception {
Class<?> c = String.class;
IoBuffer buffer = IoBuffer.allocate(16);
@@ -446,8 +468,8 @@ public class IoBufferTest {
assertSame(c, o);
}
- @Test(expected=ClassNotFoundException.class)
- public void testNonserializableClassReject() throws Exception {
+ @Test(expected=BufferDataException.class)
+ public void testNonSerializableBaseClassReject() throws Exception {
Class<?> c = String.class;
IoBuffer buffer = IoBuffer.allocate(16);
@@ -462,13 +484,44 @@ public class IoBufferTest {
}
@Test
- public void testNonserializableInterface() throws Exception {
- Class<?> c = NonserializableInterface.class;
+ public void testNonSerializableInterfaceAccept() throws Exception {
+ Class<?> c = NonSerializableInterface.class;
+
+ IoBuffer buffer = IoBuffer.allocate(16);
+ buffer.setAutoExpand(true);
+ buffer.putObject(c);
+ buffer.accept(NonSerializableInterface.class.getName());
+
+ buffer.flip();
+ Object o = buffer.getObject();
+
+ assertEquals(c, o);
+ assertSame(c, o);
+ }
+
+
+ @Test(expected=ClassNotFoundException.class)
+ public void testNonserializableInterfaceReject() throws Exception {
+ Class<?> c = NonSerializableInterface.class;
+
+ IoBuffer buffer = IoBuffer.allocate(16);
+ buffer.setAutoExpand(true);
+ buffer.putObject(c);
+
+ buffer.flip();
+
+ // We must get an error
+ buffer.getObject();
+ }
+
+ @Test
+ public void testNonSerializableClassAccept() throws Exception {
+ Class<?> c = NonSerializableClass.class;
IoBuffer buffer = IoBuffer.allocate(16);
buffer.setAutoExpand(true);
buffer.putObject(c);
- buffer.accept(NonserializableInterface.class.getName());
+ buffer.accept(NonSerializableClass.class.getName());
buffer.flip();
Object o = buffer.getObject();
@@ -477,6 +530,20 @@ public class IoBufferTest {
assertSame(c, o);
}
+ @Test(expected=ClassNotFoundException.class)
+ public void testNonSerializableClassReject() throws Exception {
+ Class<?> c = NonSerializableClass.class;
+
+ IoBuffer buffer = IoBuffer.allocate(16);
+ buffer.setAutoExpand(true);
+ buffer.putObject(c);
+
+ buffer.flip();
+
+ // The call must fail
+ buffer.getObject();
+ }
+
@Test
public void testAllocate() throws Exception {
for (int i = 10; i < 1048576 * 2; i = i * 11 / 10) // increase by 10%
@@ -1009,7 +1076,10 @@ public class IoBufferTest {
// Test writing an object.
buf.putObject(expected);
+
+ // We must accept all the classes, including the parents.
buf.accept(Bar.class.getName());
+ buf.accept(Foo.class.getName());
// Test reading an object.
buf.clear();
