001
014
015 package com.liferay.portal.kernel.io;
016
017 import com.liferay.portal.kernel.util.ClassResolverUtil;
018 import com.liferay.portal.kernel.util.StringUtil;
019
020 import java.io.IOException;
021 import java.io.InputStream;
022 import java.io.InvalidClassException;
023 import java.io.ObjectInputStream;
024 import java.io.ObjectStreamClass;
025
026 import java.util.Arrays;
027 import java.util.HashSet;
028 import java.util.Set;
029
030
033 public class ProtectedObjectInputStream extends ObjectInputStream {
034
035 public ProtectedObjectInputStream(InputStream inputStream)
036 throws IOException {
037
038 super(inputStream);
039 }
040
041
045 protected Class<?> doResolveClass(ObjectStreamClass objectStreamClass)
046 throws ClassNotFoundException, IOException {
047
048 String name = objectStreamClass.getName();
049
050 return ClassResolverUtil.resolveByContextClassLoader(name);
051 }
052
053 @Override
054 protected Class<?> resolveClass(ObjectStreamClass objectStreamClass)
055 throws ClassNotFoundException, IOException {
056
057 if (_restrictedClassNames.contains(objectStreamClass.getName())) {
058 throw new InvalidClassException(
059 "Reject resolving of restricted class " +
060 objectStreamClass.getName());
061 }
062
063 return doResolveClass(objectStreamClass);
064 }
065
066 private static final Set<String> _restrictedClassNames;
067
068 static {
069 String[] restrictedClassNames = StringUtil.split(
070 System.getProperty(
071 ProtectedObjectInputStream.class.getName() +
072 ".restricted.class.names"));
073
074 _restrictedClassNames = new HashSet<>(
075 Arrays.asList(restrictedClassNames));
076 }
077
078 }