SHOW:
|
|
- or go back to the newest paste.
| 1 | - | import javax.xml.parsers.DocumentBuilderFactory; |
| 1 | + | public static Object deserialize ( byte [] buffer ) throws IOException, ClassNotFoundException {
|
| 2 | - | import javax.xml.parsers.SAXParserFactory; |
| 2 | + | |
| 3 | Object obj = null; | |
| 4 | - | DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance ( ); |
| 4 | + | |
| 5 | - | String FEATURE = null; |
| 5 | + | try ( ByteArrayInputStream byte_array = new ByteArrayInputStream ( buffer ) ) {
|
| 6 | - | String user = jTextField.getText ( ); |
| 6 | + | |
| 7 | try ( ObjectInputStream obj_stream = new ObjectInputStream ( byte_array ) ) {
| |
| 8 | - | try {
|
| 8 | + | |
| 9 | obj = obj_stream.readObject ( ); | |
| 10 | - | FEATURE = "http://example/xml/features/no-external-entities"; |
| 10 | + | |
| 11 | - | dbf.setFeature ( FEATURE, false ); |
| 11 | + | } |
| 12 | ||
| 13 | - | dbf.setXIncludeAware ( false ); |
| 13 | + | } |
| 14 | - | dbf.setExpandEntityReferences ( false ); |
| 14 | + | |
| 15 | return ( obj ); | |
| 16 | - | File xml = new File ( “/example/system/” + user ); |
| 16 | + | |
| 17 | - | DocumentBuilder builder = dbf.newDocumentBuilder ( ); |
| 17 | + | |
| 18 | - | Document doc = builder.parse ( xml ); |
| 18 | + | |
| 19 | - | doc.getDocumentElement ( ).normalize ( ); |
| 19 | + | |
| 20 | ||
| 21 | - | } catch ( SAXException e ) {
|
| 21 | + | java.io.ObjectInputStream.resolveClass ( ); |
| 22 | ||
| 23 | - | logger.warning( "A DOCTYPE was passed into the XML document" ); |
| 23 | + | |
| 24 | ||
| 25 | class SecureObjectInputStream extends ObjectInputStream {
| |
| 26 | ||
| 27 | - | DocumentBuilder safebuilder = dbf.newDocumentBuilder ( ); |
| 27 | + | public Set whitelist; |
| 28 | ||
| 29 | public WhitelistedObjectInputStream(InputStream default_stream ) throws IOException {
| |
| 30 | ||
| 31 | super( sefault_stream ); | |
| 32 | ||
| 33 | } | |
| 34 | ||
| 35 | whitelist = new HashSet <String> ( Arrays.asList ( new String[] { "class_1","class_2", ... } ) );
| |
| 36 | ||
| 37 | @Override | |
| 38 | protected Class <?> resolveClass ( ObjectStreamClass obj_class ) throws IOException, ClassNotFoundException {
| |
| 39 | ||
| 40 | if ( !whitelist.contains ( obj_class.getName ( ) ) ) | |
| 41 | throw new InvalidClassException ( "Unexpected serialized class", obj_class.getName ( ) ); | |
| 42 | ||
| 43 | return ( super.resolveClass ( obj_class ) ); | |
| 44 | ||
| 45 | } | |
| 46 | ||
| 47 | } | |
| 48 | ||
| 49 | private static Object deserialize ( byte[] buffer ) throws IOException, ClassNotFoundException {
| |
| 50 | ||
| 51 | Object obj = null; | |
| 52 | ||
| 53 | try ( ByteArrayInputStream byte_array = new ByteArrayInputStream ( buffer ) ) {
| |
| 54 | ||
| 55 | try ( SecureObjectInputStream obj_stream = new WhitelistedObjectInputStream ( byte_array, whitelist ) ) {
| |
| 56 | ||
| 57 | obj = obj_stream.readObject ( ); | |
| 58 | ||
| 59 | } | |
| 60 | ||
| 61 | } | |
| 62 | ||
| 63 | return ( obj ); | |
| 64 | ||
| 65 | } |
