init

2024-11-30 19:03:49 +08:00
commit 1e6763c160
3806 changed files with 737676 additions and 0 deletions
--- a/java/org/apache/catalina/util/CustomObjectInputStream.java
+++ b/java/org/apache/catalina/util/CustomObjectInputStream.java
@@ -0,0 +1,194 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.lang.reflect.Proxy;
+import java.util.Collections;
+import java.util.Set;
+import java.util.WeakHashMap;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.regex.Pattern;
+
+import org.apache.juli.logging.Log;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Custom subclass of <code>ObjectInputStream</code> that loads from the
+ * class loader for this web application.  This allows classes defined only
+ * with the web application to be found correctly.
+ *
+ * @author Craig R. McClanahan
+ * @author Bip Thelin
+ */
+public final class CustomObjectInputStream extends ObjectInputStream {
+
+    private static final StringManager sm = StringManager.getManager(CustomObjectInputStream.class);
+
+    private static final WeakHashMap<ClassLoader, Set<String>> reportedClassCache =
+            new WeakHashMap<>();
+
+    /**
+     * The class loader we will use to resolve classes.
+     */
+    private final ClassLoader classLoader;
+    private final Set<String> reportedClasses;
+    private final Log log;
+
+    private final Pattern allowedClassNamePattern;
+    private final String allowedClassNameFilter;
+    private final boolean warnOnFailure;
+
+
+    /**
+     * Construct a new instance of CustomObjectInputStream without any filtering
+     * of deserialized classes.
+     *
+     * @param stream The input stream we will read from
+     * @param classLoader The class loader used to instantiate objects
+     *
+     * @exception IOException if an input/output error occurs
+     */
+    public CustomObjectInputStream(InputStream stream, ClassLoader classLoader) throws IOException {
+        this(stream, classLoader, null, null, false);
+    }
+
+
+    /**
+     * Construct a new instance of CustomObjectInputStream with filtering of
+     * deserialized classes.
+     *
+     * @param stream The input stream we will read from
+     * @param classLoader The class loader used to instantiate objects
+     * @param log The logger to use to report any issues. It may only be null if
+     *            the filterMode does not require logging
+     * @param allowedClassNamePattern The regular expression to use to filter
+     *                                deserialized classes. The fully qualified
+     *                                class name must match this pattern for
+     *                                deserialization to be allowed if filtering
+     *                                is enabled.
+     * @param warnOnFailure Should any failures be logged?
+     *
+     * @exception IOException if an input/output error occurs
+     */
+    public CustomObjectInputStream(InputStream stream, ClassLoader classLoader,
+            Log log, Pattern allowedClassNamePattern, boolean warnOnFailure)
+            throws IOException {
+        super(stream);
+        if (log == null && allowedClassNamePattern != null && warnOnFailure) {
+            throw new IllegalArgumentException(
+                    sm.getString("customObjectInputStream.logRequired"));
+        }
+        this.classLoader = classLoader;
+        this.log = log;
+        this.allowedClassNamePattern = allowedClassNamePattern;
+        if (allowedClassNamePattern == null) {
+            this.allowedClassNameFilter = null;
+        } else {
+            this.allowedClassNameFilter = allowedClassNamePattern.toString();
+        }
+        this.warnOnFailure = warnOnFailure;
+
+        Set<String> reportedClasses;
+        synchronized (reportedClassCache) {
+            reportedClasses = reportedClassCache.get(classLoader);
+        }
+        if (reportedClasses == null) {
+            reportedClasses = Collections.newSetFromMap(new ConcurrentHashMap<String,Boolean>());
+            synchronized (reportedClassCache) {
+                Set<String> original = reportedClassCache.get(classLoader);
+                if (original == null) {
+                    reportedClassCache.put(classLoader, reportedClasses);
+                } else {
+                    // Concurrent attempts to create the new Set. Make sure all
+                    // threads use the first successfully added Set.
+                    reportedClasses = original;
+                }
+            }
+        }
+        this.reportedClasses = reportedClasses;
+    }
+
+
+    /**
+     * Load the local class equivalent of the specified stream class
+     * description, by using the class loader assigned to this Context.
+     *
+     * @param classDesc Class description from the input stream
+     *
+     * @exception ClassNotFoundException if this class cannot be found
+     * @exception IOException if an input/output error occurs
+     */
+    @Override
+    public Class<?> resolveClass(ObjectStreamClass classDesc)
+        throws ClassNotFoundException, IOException {
+
+        String name = classDesc.getName();
+        if (allowedClassNamePattern != null) {
+            boolean allowed = allowedClassNamePattern.matcher(name).matches();
+            if (!allowed) {
+                boolean doLog = warnOnFailure && reportedClasses.add(name);
+                String msg = sm.getString("customObjectInputStream.nomatch", name, allowedClassNameFilter);
+                if (doLog) {
+                    log.warn(msg);
+                } else if (log.isDebugEnabled()) {
+                    log.debug(msg);
+                }
+                throw new InvalidClassException(msg);
+            }
+        }
+
+        try {
+            return Class.forName(name, false, classLoader);
+        } catch (ClassNotFoundException e) {
+            try {
+                // Try also the superclass because of primitive types
+                return super.resolveClass(classDesc);
+            } catch (ClassNotFoundException e2) {
+                // Rethrow original exception, as it can have more information
+                // about why the class was not found. BZ 48007
+                throw e;
+            }
+        }
+    }
+
+
+    /**
+     * Return a proxy class that implements the interfaces named in a proxy
+     * class descriptor. Do this using the class loader assigned to this
+     * Context.
+     */
+    @Override
+    protected Class<?> resolveProxyClass(String[] interfaces)
+            throws IOException, ClassNotFoundException {
+
+        Class<?>[] cinterfaces = new Class[interfaces.length];
+        for (int i = 0; i < interfaces.length; i++) {
+            cinterfaces[i] = classLoader.loadClass(interfaces[i]);
+        }
+
+        try {
+            return Proxy.getProxyClass(classLoader, cinterfaces);
+        } catch (IllegalArgumentException e) {
+            throw new ClassNotFoundException(null, e);
+        }
+    }
+}