org.apache.log4j.net

Class HardenedObjectInputStream

java.lang.Object

java.io.InputStream

java.io.ObjectInputStream

org.apache.log4j.net.HardenedObjectInputStream

All Implemented Interfaces:

Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable

Direct Known Subclasses:

HardenedLoggingEventInputStream

public class HardenedObjectInputStream
extends ObjectInputStream

HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of explicitly whitelisted classes. This prevents certain type of attacks from being successful.

It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.

Since:

1.2.18

=== Copied from the logback project with permission ==

Author:

Ceki Gülcü

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

ObjectInputStream.GetField

Field Summary

Fields inherited from interface java.io.ObjectStreamConstants

baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors

Constructor and Description
HardenedObjectInputStream(InputStream in, List<String> whitelist)
HardenedObjectInputStream(InputStream in, String[] whilelist)

Method Summary

Modifier and Type	Method and Description
protected void	addToWhitelist(List<String> additionalAuthorizedClasses)
protected Class<?>	resolveClass(ObjectStreamClass anObjectStreamClass)

Methods inherited from class java.io.ObjectInputStream

available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes

Methods inherited from class java.io.InputStream

mark, markSupported, read, reset, skip

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput

read, skip

Constructor Detail

HardenedObjectInputStream

public HardenedObjectInputStream(InputStream in,
                                 String[] whilelist)
                          throws IOException

Throws:

IOException

HardenedObjectInputStream

public HardenedObjectInputStream(InputStream in,
                                 List<String> whitelist)
                          throws IOException

Throws:

IOException

Method Detail

resolveClass

protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass)
                         throws IOException,
                                ClassNotFoundException

Overrides:

resolveClass in class ObjectInputStream

Throws:

IOException

ClassNotFoundException

addToWhitelist

protected void addToWhitelist(List<String> additionalAuthorizedClasses)