Google Git
Sign in
apache / logging-log4j-tools / 283c99d164e5ad39e2e047dcfab1eb1eba6d73cd^! / .
commit283c99d164e5ad39e2e047dcfab1eb1eba6d73cd[log] [tgz]
authorMikael Ståldal <mikael.staldal@magine.com>Fri Apr 21 15:24:47 2017 +0200
committerMikael Ståldal <mikael.staldal@magine.com>Fri Apr 21 15:24:47 2017 +0200
tree770d2568705ab7874036b1f16f3e017399266b7b
parent53ef71b112e43226f0a37d3a5af71a8238e3e877 [diff]
LOG4J2-1851 Move server components from core to new server module

diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/FilteredObjectInputStream.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/FilteredObjectInputStream.java
new file mode 100644
index 0000000..c5bf92f
--- /dev/null
+++ b/log4j-server/src/main/java/org/apache/logging/log4j/server/FilteredObjectInputStream.java

@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+package org.apache.logging.log4j.server;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+
+/**
+ * Extended ObjectInputStream that only allows certain classes to be deserialized.
+ *
+ * @since 2.8.2
+ */
+public class FilteredObjectInputStream extends ObjectInputStream {
+
+    private static final List<String> REQUIRED_JAVA_CLASSES = Arrays.asList(
+        // for StandardLevel
+        "java.lang.Enum",
+        // for location information
+        "java.lang.StackTraceElement",
+        // for Message delegate
+        "java.rmi.MarshalledObject",
+        "[B"
+    );
+
+    private final Collection<String> allowedClasses;
+
+    public FilteredObjectInputStream(final InputStream in, final Collection<String> allowedClasses) throws IOException {
+        super(in);
+        this.allowedClasses = allowedClasses;
+    }
+
+    @Override
+    protected Class<?> resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+        String name = desc.getName();
+        if (!(isAllowedByDefault(name) || allowedClasses.contains(name))) {
+            throw new InvalidObjectException("Class is not allowed for deserialization: " + name);
+        }
+        return super.resolveClass(desc);
+    }
+
+    private static boolean isAllowedByDefault(final String name) {
+        return name.startsWith("org.apache.logging.log4j.") ||
+            name.startsWith("[Lorg.apache.logging.log4j.") ||
+            REQUIRED_JAVA_CLASSES.contains(name);
+    }
+
+}

diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java
index ddd2e26..0f4a06f 100644
--- a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java
+++ b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java

@@ -24,7 +24,6 @@
 
 import org.apache.logging.log4j.core.LogEvent;
 import org.apache.logging.log4j.core.LogEventListener;
-import org.apache.logging.log4j.core.util.FilteredObjectInputStream;
 
 /**
  * Reads and logs serialized {@link LogEvent} objects from an {@link ObjectInputStream}.