25 lines
881 B
Java
25 lines
881 B
Java
|
import java.io.IOException;
|
||
|
import java.io.InputStream;
|
||
|
import java.io.ObjectInputStream;
|
||
|
import java.io.ObjectStreamClass;
|
||
|
|
||
|
public class SafeObjectInputStream extends ObjectInputStream {
|
||
|
|
||
|
String allowedClass;
|
||
|
|
||
|
public SafeObjectInputStream(InputStream in, String allowedClass) throws IOException {
|
||
|
super(in);
|
||
|
this.allowedClass = allowedClass;
|
||
|
}
|
||
|
|
||
|
// local files are generally assumed to be safe, but this additional check slightly hardens the application against using arbitrary attacks to exploit
|
||
|
// please note that it is still insecure; don't use in sensitive contexts!
|
||
|
@Override
|
||
|
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
|
||
|
if (!desc.getName().equals(allowedClass)) {
|
||
|
throw new SecurityException();
|
||
|
}
|
||
|
return super.resolveClass(desc);
|
||
|
}
|
||
|
}
|