Skip to content

Commit c3015e4

Browse files
thboileauthboileau
committed
Fixed issue restlet#774 - Removed default support of JavaBeans XML-serialization. Reported by David Jorm, Dinis Cruz, Abraham Kang and Alvaro Munoz.
1 parent 75c8cc4 commit c3015e4

3 files changed

Lines changed: 47 additions & 14 deletions

File tree

build/tmpl/text/changes.txt

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,8 @@ Changes log
1818
(issues #599 and #656). Reported by weiweiwang.
1919
- Fixed reading of Via header (issue #599).
2020
Reported by Nicolas Rinaudo.
21-
21+
- Fixed issue #774 - Removed default support of JavaBeans XML-serialization.
22+
Reported by David Jorm, Dinis Cruz, Abraham Kang and Alvaro Munoz.
2223
- 2.0.15 (2012-08-23)
2324
- Bug fixed
2425
- Fixed bug in Reference#getParentRef with relative URIs.

modules/org.restlet/src/org/restlet/engine/converter/DefaultConverter.java

Lines changed: 25 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,10 @@ public class DefaultConverter extends ConverterHelper {
7878
private static final VariantInfo VARIANT_OBJECT_XML = new VariantInfo(
7979
MediaType.APPLICATION_JAVA_OBJECT_XML);
8080

81+
/** Indicates whether the JavaBeans XML deserialization is supported or not. */
82+
private static final boolean VARIANT_OBJECT_XML_SUPPORTED = Boolean
83+
.getBoolean("org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED");
84+
8185
@Override
8286
public List<Class<?>> getObjectClasses(Variant source) {
8387
List<Class<?>> result = null;
@@ -90,7 +94,8 @@ public List<Class<?>> getObjectClasses(Variant source) {
9094
MediaType mediaType = source.getMediaType();
9195

9296
if (MediaType.APPLICATION_JAVA_OBJECT.equals(mediaType)
93-
|| MediaType.APPLICATION_JAVA_OBJECT_XML.equals(mediaType)) {
97+
|| (VARIANT_OBJECT_XML_SUPPORTED && MediaType.APPLICATION_JAVA_OBJECT_XML
98+
.equals(mediaType))) {
9499
result = addObjectClass(result, Object.class);
95100
} else if (MediaType.APPLICATION_WWW_FORM.equals(mediaType)) {
96101
result = addObjectClass(result, Form.class);
@@ -124,7 +129,9 @@ public List<VariantInfo> getVariants(Class<?> source) {
124129
result = addVariant(result, VARIANT_FORM);
125130
} else if (Serializable.class.isAssignableFrom(source)) {
126131
result = addVariant(result, VARIANT_OBJECT);
127-
result = addVariant(result, VARIANT_OBJECT_XML);
132+
if (VARIANT_OBJECT_XML_SUPPORTED) {
133+
result = addVariant(result, VARIANT_OBJECT_XML);
134+
}
128135
}
129136
}
130137

@@ -161,11 +168,13 @@ public float score(Object source, Variant target, UniformResource resource) {
161168
} else if (MediaType.APPLICATION_JAVA_OBJECT
162169
.isCompatible(target.getMediaType())) {
163170
result = 0.6F;
164-
} else if (MediaType.APPLICATION_JAVA_OBJECT_XML.equals(target
165-
.getMediaType())) {
171+
} else if (VARIANT_OBJECT_XML_SUPPORTED
172+
&& MediaType.APPLICATION_JAVA_OBJECT_XML.equals(target
173+
.getMediaType())) {
166174
result = 1.0F;
167-
} else if (MediaType.APPLICATION_JAVA_OBJECT_XML
168-
.isCompatible(target.getMediaType())) {
175+
} else if (VARIANT_OBJECT_XML_SUPPORTED
176+
&& MediaType.APPLICATION_JAVA_OBJECT_XML
177+
.isCompatible(target.getMediaType())) {
169178
result = 0.6F;
170179
}
171180
} else {
@@ -217,11 +226,13 @@ public <T> float score(Representation source, Class<T> target,
217226
} else if (MediaType.APPLICATION_JAVA_OBJECT
218227
.isCompatible(source.getMediaType())) {
219228
result = 0.6F;
220-
} else if (MediaType.APPLICATION_JAVA_OBJECT_XML.equals(source
221-
.getMediaType())) {
229+
} else if (VARIANT_OBJECT_XML_SUPPORTED
230+
&& MediaType.APPLICATION_JAVA_OBJECT_XML.equals(source
231+
.getMediaType())) {
222232
result = 1.0F;
223-
} else if (MediaType.APPLICATION_JAVA_OBJECT_XML
224-
.isCompatible(source.getMediaType())) {
233+
} else if (VARIANT_OBJECT_XML_SUPPORTED
234+
&& MediaType.APPLICATION_JAVA_OBJECT_XML
235+
.isCompatible(source.getMediaType())) {
225236
result = 0.6F;
226237
} else {
227238
result = 0.5F;
@@ -332,8 +343,10 @@ public <T> void updatePreferences(List<Preference<MediaType>> preferences,
332343
} else if (Serializable.class.isAssignableFrom(entity)) {
333344
updatePreferences(preferences, MediaType.APPLICATION_JAVA_OBJECT,
334345
1.0F);
335-
updatePreferences(preferences,
336-
MediaType.APPLICATION_JAVA_OBJECT_XML, 1.0F);
346+
if (VARIANT_OBJECT_XML_SUPPORTED) {
347+
updatePreferences(preferences,
348+
MediaType.APPLICATION_JAVA_OBJECT_XML, 1.0F);
349+
}
337350
} else if (String.class.isAssignableFrom(entity)
338351
|| Reader.class.isAssignableFrom(entity)) {
339352
updatePreferences(preferences, MediaType.TEXT_PLAIN, 1.0F);

modules/org.restlet/src/org/restlet/representation/ObjectRepresentation.java

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,26 @@
4343
import org.restlet.data.MediaType;
4444

4545
/**
46-
* Representation based on a serializable Java object.
46+
* Representation based on a serializable Java object.<br>
47+
* It supports binary representations of JavaBeans using the
48+
* {@link ObjectInputStream} and {@link ObjectOutputStream} classes. In this
49+
* case, it handles representations having the following media type:
50+
* {@link MediaType#APPLICATION_JAVA_OBJECT}
51+
* ("application/x-java-serialized-object"). It also supports textual
52+
* representations of JavaBeans using the {@link XMLEncoder} and
53+
* {@link XMLDecoder} classes. In this case, it handles representations having
54+
* the following media type: {@link MediaType#APPLICATION_JAVA_OBJECT_XML}
55+
* ("application/x-java-serialized-object+xml").
56+
*
57+
* SECURITY WARNING: The usage of {@link XMLDecoder} when deserializing XML
58+
* presentations from unstrusted sources can lead to malicious attacks. As
59+
* pointed <a href=
60+
* "http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html"
61+
* >here</a> , the {@link XMLDecoder} is able to force the JVM to execute
62+
* unwanted Java code described inside the XML file. Thus, the support of such
63+
* format has been disactivated by default inside the default converter. You can
64+
* activate this support by turning on the following system property:
65+
* org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED.
4766
*
4867
* @author Jerome Louvel
4968
* @param <T>

0 commit comments

Comments
 (0)