118 lines
4.7 KiB
Diff
118 lines
4.7 KiB
Diff
From 9caf480e05c389548c9889362c2cb080d728b5d8 Mon Sep 17 00:00:00 2001
|
|
From: Iwao AVE! <harawata@gmail.com>
|
|
Date: Sat, 3 Oct 2020 23:58:09 +0900
|
|
Subject: [PATCH] Output warning when deserializing object stream with no
|
|
JEP-290 filter defined
|
|
|
|
---
|
|
.../cache/decorators/SerializedCache.java | 2 +
|
|
.../loader/AbstractSerialStateHolder.java | 6 ++
|
|
.../apache/ibatis/io/SerialFilterChecker.java | 54 +++++++++++++++++++
|
|
3 files changed, 61 insertions(+), 33 deletions(-)
|
|
create mode 100644 src/main/java/org/apache/ibatis/io/SerialFilterChecker.java
|
|
|
|
diff --git a/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java b/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java
|
|
index aeb3d09de7a..664b214aa65 100644
|
|
--- a/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java
|
|
+++ b/src/main/java/org/apache/ibatis/cache/decorators/SerializedCache.java
|
|
@@ -28,6 +28,7 @@
|
|
import org.apache.ibatis.cache.Cache;
|
|
import org.apache.ibatis.cache.CacheException;
|
|
import org.apache.ibatis.io.Resources;
|
|
+import org.apache.ibatis.io.SerialFilterChecker;
|
|
|
|
/**
|
|
* @author Clinton Begin
|
|
@@ -104,6 +105,7 @@ public boolean equals(Object obj) {
|
|
}
|
|
|
|
private Serializable deserialize(byte[] value) {
|
|
+ SerialFilterChecker.check();
|
|
Serializable result;
|
|
try {
|
|
ByteArrayInputStream bis = new ByteArrayInputStream(value);
|
|
diff --git a/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java b/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java
|
|
index f1edbaa146a..414fe5db391 100644
|
|
--- a/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java
|
|
+++ b/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java
|
|
@@ -31,6 +31,7 @@
|
|
import java.util.List;
|
|
import java.util.Map;
|
|
|
|
+import org.apache.ibatis.io.SerialFilterChecker;
|
|
import org.apache.ibatis.reflection.factory.ObjectFactory;
|
|
|
|
/**
|
|
@@ -106,9 +107,11 @@ protected final Object readResolve() throws ObjectStreamException {
|
|
return this.userBean;
|
|
}
|
|
|
|
+ SerialFilterChecker.check();
|
|
+
|
|
/* First run */
|
|
try {
|
|
final ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(this.userBeanBytes));
|
|
this.userBean = in.readObject();
|
|
this.unloadedProperties = (Map<String, ResultLoaderMap.LoadPair>) in.readObject();
|
|
this.objectFactory = (ObjectFactory) in.readObject();
|
|
diff --git a/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java b/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java
|
|
new file mode 100644
|
|
index 00000000000..abacac68332
|
|
--- /dev/null
|
|
+++ b/src/main/java/org/apache/ibatis/io/SerialFilterChecker.java
|
|
@@ -0,0 +1,54 @@
|
|
+/**
|
|
+ * Copyright 2009-2020 the original author or authors.
|
|
+ *
|
|
+ * Licensed under the Apache License, Version 2.0 (the "License");
|
|
+ * you may not use this file except in compliance with the License.
|
|
+ * You may obtain a copy of the License at
|
|
+ *
|
|
+ * http://www.apache.org/licenses/LICENSE-2.0
|
|
+ *
|
|
+ * Unless required by applicable law or agreed to in writing, software
|
|
+ * distributed under the License is distributed on an "AS IS" BASIS,
|
|
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
+ * See the License for the specific language governing permissions and
|
|
+ * limitations under the License.
|
|
+ */
|
|
+
|
|
+package org.apache.ibatis.io;
|
|
+
|
|
+import java.security.Security;
|
|
+
|
|
+import org.apache.ibatis.logging.Log;
|
|
+import org.apache.ibatis.logging.LogFactory;
|
|
+
|
|
+public final class SerialFilterChecker {
|
|
+ private static final Log log = LogFactory.getLog(SerialFilterChecker.class);
|
|
+ /* Property key for the JEP-290 serialization filters */
|
|
+ private static final String JDK_SERIAL_FILTER = "jdk.serialFilter";
|
|
+ private static final boolean SERIAL_FILTER_MISSING;
|
|
+ private static boolean firstInvocation = true;
|
|
+
|
|
+ static {
|
|
+ Object serialFilter;
|
|
+ try {
|
|
+ Class<?> objectFilterConfig = Class.forName("java.io.ObjectInputFilter$Config");
|
|
+ serialFilter = objectFilterConfig.getMethod("getSerialFilter").invoke(null);
|
|
+ } catch (ReflectiveOperationException e) {
|
|
+ // Java 1.8
|
|
+ serialFilter = System.getProperty(JDK_SERIAL_FILTER, Security.getProperty(JDK_SERIAL_FILTER));
|
|
+ }
|
|
+ SERIAL_FILTER_MISSING = serialFilter == null;
|
|
+ }
|
|
+
|
|
+ public static void check() {
|
|
+ if (firstInvocation && SERIAL_FILTER_MISSING) {
|
|
+ firstInvocation = false;
|
|
+ log.warn(
|
|
+ "As you are using functionality that deserializes object streams, it is recommended to define the JEP-290 serial filter. "
|
|
+ + "Please refer to https://docs.oracle.com/pls/topic/lookup?ctx=javase15&id=GUID-8296D8E8-2B93-4B9A-856E-0A65AF9B8C66");
|
|
+ }
|
|
+ }
|
|
+
|
|
+ private SerialFilterChecker() {
|
|
+ }
|
|
+}
|