001
014
015 package com.liferay.portal.kernel.io;
016
017 import com.liferay.portal.kernel.util.StringUtil;
018
019 import java.io.IOException;
020 import java.io.InputStream;
021 import java.io.InvalidClassException;
022 import java.io.ObjectInputStream;
023 import java.io.ObjectStreamClass;
024
025 import java.util.Arrays;
026 import java.util.HashSet;
027 import java.util.Set;
028
029
032 public class ProtectedObjectInputStream extends ObjectInputStream {
033
034 public ProtectedObjectInputStream(InputStream inputStream)
035 throws IOException {
036
037 super(inputStream);
038 }
039
040 protected Class<?> doResolveClass(ObjectStreamClass objectStreamClass)
041 throws ClassNotFoundException, IOException {
042
043 return super.resolveClass(objectStreamClass);
044 }
045
046 @Override
047 protected Class<?> resolveClass(ObjectStreamClass objectStreamClass)
048 throws ClassNotFoundException, IOException {
049
050 if (_restrictedClassNames.contains(objectStreamClass.getName())) {
051 throw new InvalidClassException(
052 "Reject resolving of restricted class " +
053 objectStreamClass.getName());
054 }
055
056 return doResolveClass(objectStreamClass);
057 }
058
059 private static final Set<String> _restrictedClassNames;
060
061 static {
062 String[] restrictedClassNames = StringUtil.split(
063 System.getProperty(
064 ProtectedObjectInputStream.class.getName() +
065 ".restricted.class.names"));
066
067 _restrictedClassNames = new HashSet<>(
068 Arrays.asList(restrictedClassNames));
069 }
070
071 }