This is an automated email from the ASF dual-hosted git repository.
asf-gitbox-commits pushed a commit to branch 2.2.X
in repository https://gitbox.apache.org/repos/asf/mina.git
The following commit(s) were added to refs/heads/2.2.X by this push:
new cca24d646 Added a missing fix
new d108d0c86 Merge remote-tracking branch 'refs/remotes/origin/2.2.X'
into 2.2.X
cca24d646 is described below
commit cca24d646c898adf7e01a765ebf6d677cc02b696
Author: emmanuel lecharny <[email protected]>
AuthorDate: Wed Apr 29 16:59:03 2026 +0200
Added a missing fix
---
.../apache/mina/core/buffer/AbstractIoBuffer.java | 58 ++++++-------
.../org/apache/mina/core/buffer/IoBufferTest.java | 96 +++++++++++++++++++---
2 files changed, 113 insertions(+), 41 deletions(-)
diff --git
a/mina-core/src/main/java/org/apache/mina/core/buffer/AbstractIoBuffer.java
b/mina-core/src/main/java/org/apache/mina/core/buffer/AbstractIoBuffer.java
index c600a4e2c..ce41c9da5 100644
--- a/mina-core/src/main/java/org/apache/mina/core/buffer/AbstractIoBuffer.java
+++ b/mina-core/src/main/java/org/apache/mina/core/buffer/AbstractIoBuffer.java
@@ -2175,21 +2175,29 @@ public abstract class AbstractIoBuffer extends IoBuffer
{
@Override
protected ObjectStreamClass readClassDescriptor() throws
IOException, ClassNotFoundException {
int type = read();
-
+
if (type < 0) {
throw new EOFException();
}
-
+
switch (type) {
case 0: // NON-Serializable class or Primitive types
return super.readClassDescriptor();
-
+
case 1: // Serializable class
String className = readUTF();
+
+ // Only accept classes that are listed as acceptable
+ // Apply class filter BEFORE calling Class.forName
+ if (!acceptMatchers.stream().anyMatch(m ->
m.matches(className))) {
+ throw new ClassNotFoundException("Class not in
accept list " + className);
+ }
+
+ // Use initialize=false to prevent static block
execution during class loading
Class<?> clazz = Class.forName(className, true,
classLoader);
-
+
return ObjectStreamClass.lookup(clazz);
-
+
default:
throw new StreamCorruptedException("Unexpected class
descriptor type: " + type);
}
@@ -2197,32 +2205,24 @@ public abstract class AbstractIoBuffer extends IoBuffer
{
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws
IOException, ClassNotFoundException {
- Class<?> clazz = desc.forClass();
+ String className = desc.getName();
- if (clazz == null) {
- String name = desc.getName();
-
- try {
- return Class.forName(name, false, classLoader);
- } catch (ClassNotFoundException ex) {
- return super.resolveClass(desc);
- }
- } else {
- boolean found = false;
- String className = desc.getName();
-
- for (ClassNameMatcher matcher : acceptMatchers) {
- if (matcher.matches(className)) {
- found = true;
- break;
- }
- }
+ // apply acceptMatchers filter before any Class.forName() call,
+ // regardless of whether forClass() is null or not
+ if (!acceptMatchers.stream().anyMatch(m ->
m.matches(className))) {
+ throw new ClassNotFoundException("Class not in accept list
" + className);
+ }
+
+ Class<?> clazz = desc.forClass();
- if (found) {
- return clazz;
- }
-
- throw new ClassNotFoundException();
+ if (clazz != null) {
+ return clazz;
+ }
+
+ try {
+ return Class.forName(className, false, classLoader);
+ } catch (ClassNotFoundException ex) {
+ return super.resolveClass(desc);
}
}
}) {
diff --git
a/mina-core/src/test/java/org/apache/mina/core/buffer/IoBufferTest.java
b/mina-core/src/test/java/org/apache/mina/core/buffer/IoBufferTest.java
index 41b1952ee..9eb3951f4 100644
--- a/mina-core/src/test/java/org/apache/mina/core/buffer/IoBufferTest.java
+++ b/mina-core/src/test/java/org/apache/mina/core/buffer/IoBufferTest.java
@@ -44,6 +44,7 @@ import java.util.List;
import org.apache.mina.core.buffer.matcher.RegexpClassNameMatcher;
import org.apache.mina.core.buffer.matcher.WildcardClassNameMatcher;
import org.apache.mina.util.Bar;
+import org.apache.mina.util.Foo;
import org.junit.Test;
/**
@@ -53,10 +54,10 @@ import org.junit.Test;
*/
public class IoBufferTest {
- private static interface NonserializableInterface {
+ private static interface NonSerializableInterface {
}
- public static class NonserializableClass {
+ public static class NonSerializableClass {
}
/**
@@ -104,6 +105,8 @@ public class IoBufferTest {
buffer.put("012345".getBytes());
buffer.flip();
+ assertEquals(0, buffer.position());
+ assertEquals(6, buffer.limit());
assertEquals(6, buffer.remaining());
// See if we can expand with a lower number of remaining bytes. We
should not.
@@ -388,14 +391,35 @@ public class IoBufferTest {
assertNotSame(o, o2);
}
+ @Test(expected=ClassNotFoundException.class)
+ public void testObjectSerializationReject() throws Exception {
+ IoBuffer buf = IoBuffer.allocate(16);
+ buf.setAutoExpand(true);
+ List<Object> o = new ArrayList<>();
+ o.add(new Date());
+ o.add(long.class);
+
+ // We don't accept type 0 class (long)
+ buf.accept(ArrayList.class.getName(), Date.class.getName());
+
+ // Test writing an object.
+ buf.putObject(o);
+
+ // Test reading an object.
+ buf.clear();
+
+ // The call should fail as long is not accepted
+ buf.getObject();
+ }
+
@Test
- public void testNonserializableClass() throws Exception {
+ public void testSerializableClass() throws Exception {
Class<?> c = String.class;
IoBuffer buffer = IoBuffer.allocate(16);
buffer.setAutoExpand(true);
buffer.putObject(c);
-
+
// Accept the String class
buffer.accept(String.class.getName());
@@ -407,7 +431,7 @@ public class IoBufferTest {
}
@Test
- public void testNonserializableClassAcceptWildcard() throws Exception {
+ public void testSerializableClassAcceptWildcard() throws Exception {
Class<?> c = String.class;
IoBuffer buffer = IoBuffer.allocate(16);
@@ -426,7 +450,7 @@ public class IoBufferTest {
}
@Test
- public void testNonserializableClassAcceptRegexp() throws Exception {
+ public void testSerializableClassAcceptRegexp() throws Exception {
Class<?> c = String.class;
IoBuffer buffer = IoBuffer.allocate(16);
@@ -444,8 +468,8 @@ public class IoBufferTest {
assertSame(c, o);
}
- @Test(expected=ClassNotFoundException.class)
- public void testNonserializableClassReject() throws Exception {
+ @Test(expected=BufferDataException.class)
+ public void testNonSerializableBaseClassReject() throws Exception {
Class<?> c = String.class;
IoBuffer buffer = IoBuffer.allocate(16);
@@ -460,13 +484,44 @@ public class IoBufferTest {
}
@Test
- public void testNonserializableInterface() throws Exception {
- Class<?> c = NonserializableInterface.class;
+ public void testNonSerializableInterfaceAccept() throws Exception {
+ Class<?> c = NonSerializableInterface.class;
+
+ IoBuffer buffer = IoBuffer.allocate(16);
+ buffer.setAutoExpand(true);
+ buffer.putObject(c);
+ buffer.accept(NonSerializableInterface.class.getName());
+
+ buffer.flip();
+ Object o = buffer.getObject();
+
+ assertEquals(c, o);
+ assertSame(c, o);
+ }
+
+
+ @Test(expected=ClassNotFoundException.class)
+ public void testNonserializableInterfaceReject() throws Exception {
+ Class<?> c = NonSerializableInterface.class;
+
+ IoBuffer buffer = IoBuffer.allocate(16);
+ buffer.setAutoExpand(true);
+ buffer.putObject(c);
+
+ buffer.flip();
+
+ // We must get an error
+ buffer.getObject();
+ }
+
+ @Test
+ public void testNonSerializableClassAccept() throws Exception {
+ Class<?> c = NonSerializableClass.class;
IoBuffer buffer = IoBuffer.allocate(16);
buffer.setAutoExpand(true);
buffer.putObject(c);
- buffer.accept(NonserializableInterface.class.getName());
+ buffer.accept(NonSerializableClass.class.getName());
buffer.flip();
Object o = buffer.getObject();
@@ -475,6 +530,20 @@ public class IoBufferTest {
assertSame(c, o);
}
+ @Test(expected=ClassNotFoundException.class)
+ public void testNonSerializableClassReject() throws Exception {
+ Class<?> c = NonSerializableClass.class;
+
+ IoBuffer buffer = IoBuffer.allocate(16);
+ buffer.setAutoExpand(true);
+ buffer.putObject(c);
+
+ buffer.flip();
+
+ // The call must fail
+ buffer.getObject();
+ }
+
@Test
public void testAllocate() throws Exception {
for (int i = 10; i < 1048576 * 2; i = i * 11 / 10) // increase by 10%
@@ -1007,7 +1076,10 @@ public class IoBufferTest {
// Test writing an object.
buf.putObject(expected);
+
+ // We must accept all the classes, including the parents.
buf.accept(Bar.class.getName());
+ buf.accept(Foo.class.getName());
// Test reading an object.
buf.clear();
@@ -1766,4 +1838,4 @@ public class IoBufferTest {
assertEquals((byte)0x80, buffer.get());
}
}
-}
+}
\ No newline at end of file
