Update: properly applied to buster code
Accidentally it was committed as patch for unstable without changes,
so now I should fix it.
Hideki Yamane
2 years ago
6 | 6 | xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++-- |
7 | 7 | 1 file changed, 4 insertions(+), 2 deletions(-) |
8 | 8 | |
9 | diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java | |
10 | index b5e43af..7a166ca 100644 | |
11 | --- a/xstream/src/java/com/thoughtworks/xstream/XStream.java | |
12 | +++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java | |
13 | @@ -336,11 +336,13 @@ public class XStream { | |
9 | Index: libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java | |
10 | =================================================================== | |
11 | --- libxstream-java.orig/xstream/src/java/com/thoughtworks/xstream/XStream.java | |
12 | +++ libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java | |
13 | @@ -354,8 +354,10 @@ public class XStream { | |
14 | ||
15 | private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper"; | |
14 | 16 | private static final Pattern IGNORE_ALL = Pattern.compile(".*"); |
15 | private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection"); | |
16 | private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter"); | |
17 | 17 | + private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*"); |
18 | 18 | private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator"); |
19 | private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator"); | |
20 | private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile( | |
21 | "javafx\\.collections\\.ObservableList\\$.*"); | |
22 | 19 | private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*"); |
23 | 20 | + private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*"); |
24 | private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader"); | |
21 | private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream"); | |
25 | 22 | |
26 | 23 | /** |
27 | @@ -657,8 +659,8 @@ public class XStream { | |
28 | "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", // | |
29 | "sun.swing.SwingLazyValue"}); | |
30 | denyTypesByRegExp(new Pattern[]{ | |
31 | - LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS, | |
32 | - JAVAFX_OBSERVABLE_LIST__, BCEL_CL}); | |
33 | + LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO, | |
34 | + JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL}); | |
35 | denyTypeHierarchy(InputStream.class); | |
36 | denyTypeHierarchyDynamically("java.nio.channels.Channel"); | |
37 | denyTypeHierarchyDynamically("javax.activation.DataSource"); | |
24 | @@ -710,7 +712,7 @@ public class XStream { | |
25 | java.beans.EventHandler.class, | |
26 | java.lang.ProcessBuilder.class, | |
27 | java.lang.Void.class, void.class }); | |
28 | - denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM}); | |
29 | + denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM, LAZY_ENUMERATORS,JAVA_RMI}); | |
30 | allowTypeHierarchy(Exception.class); | |
31 | securityInitialized = false; | |
32 | } |