SHOW:
|
|
- or go back to the newest paste.
1 | - | import javax.xml.parsers.DocumentBuilderFactory; |
1 | + | public static Object deserialize ( byte [] buffer ) throws IOException, ClassNotFoundException { |
2 | - | import javax.xml.parsers.SAXParserFactory; |
2 | + | |
3 | Object obj = null; | |
4 | - | DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance ( ); |
4 | + | |
5 | - | String FEATURE = null; |
5 | + | try ( ByteArrayInputStream byte_array = new ByteArrayInputStream ( buffer ) ) { |
6 | - | String user = jTextField.getText ( ); |
6 | + | |
7 | try ( ObjectInputStream obj_stream = new ObjectInputStream ( byte_array ) ) { | |
8 | - | try { |
8 | + | |
9 | obj = obj_stream.readObject ( ); | |
10 | - | FEATURE = "http://example/xml/features/no-external-entities"; |
10 | + | |
11 | - | dbf.setFeature ( FEATURE, false ); |
11 | + | } |
12 | ||
13 | - | dbf.setXIncludeAware ( false ); |
13 | + | } |
14 | - | dbf.setExpandEntityReferences ( false ); |
14 | + | |
15 | return ( obj ); | |
16 | - | File xml = new File ( “/example/system/” + user ); |
16 | + | |
17 | - | DocumentBuilder builder = dbf.newDocumentBuilder ( ); |
17 | + | |
18 | - | Document doc = builder.parse ( xml ); |
18 | + | |
19 | - | doc.getDocumentElement ( ).normalize ( ); |
19 | + | |
20 | ||
21 | - | } catch ( SAXException e ) { |
21 | + | java.io.ObjectInputStream.resolveClass ( ); |
22 | ||
23 | - | logger.warning( "A DOCTYPE was passed into the XML document" ); |
23 | + | |
24 | ||
25 | class SecureObjectInputStream extends ObjectInputStream { | |
26 | ||
27 | - | DocumentBuilder safebuilder = dbf.newDocumentBuilder ( ); |
27 | + | public Set whitelist; |
28 | ||
29 | public WhitelistedObjectInputStream(InputStream default_stream ) throws IOException { | |
30 | ||
31 | super( sefault_stream ); | |
32 | ||
33 | } | |
34 | ||
35 | whitelist = new HashSet <String> ( Arrays.asList ( new String[] { "class_1","class_2", ... } ) ); | |
36 | ||
37 | @Override | |
38 | protected Class <?> resolveClass ( ObjectStreamClass obj_class ) throws IOException, ClassNotFoundException { | |
39 | ||
40 | if ( !whitelist.contains ( obj_class.getName ( ) ) ) | |
41 | throw new InvalidClassException ( "Unexpected serialized class", obj_class.getName ( ) ); | |
42 | ||
43 | return ( super.resolveClass ( obj_class ) ); | |
44 | ||
45 | } | |
46 | ||
47 | } | |
48 | ||
49 | private static Object deserialize ( byte[] buffer ) throws IOException, ClassNotFoundException { | |
50 | ||
51 | Object obj = null; | |
52 | ||
53 | try ( ByteArrayInputStream byte_array = new ByteArrayInputStream ( buffer ) ) { | |
54 | ||
55 | try ( SecureObjectInputStream obj_stream = new WhitelistedObjectInputStream ( byte_array, whitelist ) ) { | |
56 | ||
57 | obj = obj_stream.readObject ( ); | |
58 | ||
59 | } | |
60 | ||
61 | } | |
62 | ||
63 | return ( obj ); | |
64 | ||
65 | } |