Added some controls on the classes that can be deserialized; Bumped up some plugin dependencies, and some dependencies; Fixed some javadoc issues; Fixed some Maven issues

Author: elecharny

mina-core/pom.xml

@@ -32,6 +32,7 @@
   <packaging>bundle</packaging>
 
   <dependencies>
+    <!-- Test dependencies -->
     <dependency>
       <groupId>org.easymock</groupId>
       <artifactId>easymock</artifactId>
@@ -52,6 +53,7 @@
             <Export-Package>
               org.apache.mina.core;version=${project.version};-noimport:=true,
               org.apache.mina.core.buffer;version=${project.version};-noimport:=true,
+              org.apache.mina.core.buffer.matcher;version=${project.version};-noimport:=true,
               org.apache.mina.core.file;version=${project.version};-noimport:=true,
               org.apache.mina.core.filterchain;version=${project.version};-noimport:=true,
               org.apache.mina.core.future;version=${project.version};-noimport:=true,

mina-core/src/main/java/org/apache/mina/core/buffer/AbstractIoBuffer.java

@@ -43,8 +43,17 @@
 import java.nio.charset.CharsetEncoder;
 import java.nio.charset.CoderResult;
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.EnumSet;
+import java.util.List;
 import java.util.Set;
+import java.util.regex.Pattern;
+
+import org.apache.mina.core.buffer.matcher.ClassNameMatcher;
+import org.apache.mina.core.buffer.matcher.FullClassNameMatcher;
+import org.apache.mina.core.buffer.matcher.RegexpClassNameMatcher;
+import org.apache.mina.core.buffer.matcher.WildcardClassNameMatcher;
+
 
 /**
  * A base implementation of {@link IoBuffer}. This implementation assumes that
@@ -80,6 +89,8 @@ public abstract class AbstractIoBuffer extends IoBuffer {
     /** A mask for an int */
     private static final long INT_MASK = 0xFFFFFFFFL;
 
+    private final List<ClassNameMatcher> acceptMatchers = new ArrayList<>();
+
     /**
      * We don't have any access to Buffer.markValue(), so we need to track it down,
      * which will cause small extra overhead.
@@ -2154,18 +2165,22 @@ public Object getObject(final ClassLoader classLoader) throws ClassNotFoundExcep
             @Override
             protected ObjectStreamClass readClassDescriptor() throws IOException, ClassNotFoundException {
                 int type = read();
+
                 if (type < 0) {
                     throw new EOFException();
                 }
+
                 switch (type) {
-                case 0: // NON-Serializable class or Primitive types
-                    return super.readClassDescriptor();
-                case 1: // Serializable class
-                    String className = readUTF();
-                    Class<?> clazz = Class.forName(className, true, classLoader);
-                    return ObjectStreamClass.lookup(clazz);
-                default:
-                    throw new StreamCorruptedException("Unexpected class descriptor type: " + type);
+                    case 0: // NON-Serializable class or Primitive types
+                        return super.readClassDescriptor();
+
+                    case 1: // Serializable class
+                        String className = readUTF();
+                        Class<?> clazz = Class.forName(className, true, classLoader);
+                        return ObjectStreamClass.lookup(clazz);
+
+                    default:
+                        throw new StreamCorruptedException("Unexpected class descriptor type: " + type);
                 }
             }
 
@@ -2181,7 +2196,21 @@ protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, Clas
                         return super.resolveClass(desc);
                     }
                 } else {
-                    return clazz;
+                    boolean found = false;
+                    String className = desc.getName();
+                    
+                    for (ClassNameMatcher matcher : acceptMatchers) {
+                        if (matcher.matches(className)) {
+                            found = true;
+                            break;
+                        }
+                    }
+
+                    if (found) {
+                        return clazz;
+                    }
+                    
+                    throw new ClassNotFoundException();
                 }
             }
         }) {
@@ -2737,4 +2766,62 @@ private static void checkFieldSize(int fieldSize) {
             throw new IllegalArgumentException("fieldSize cannot be negative: " + fieldSize);
         }
     }
+
+    /**
+     * Accept the specified classes for deserialization, unless they
+     * are otherwise rejected.
+     *
+     * @param classes Classes to accept
+     * @return this object
+     */
+    public IoBuffer accept(Class<?>... classes) {
+        for (Class<?> clazz:classes) {
+            acceptMatchers.add(new FullClassNameMatcher(clazz.getName()));
+        }
+
+        return this;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(ClassNameMatcher m) {
+        acceptMatchers.add(m);
+        
+        return this;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(Pattern pattern) {
+        acceptMatchers.add(new RegexpClassNameMatcher(pattern));
+        
+        return this;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(String... patterns) {
+        for (String pattern:patterns) {
+            acceptMatchers.add(new WildcardClassNameMatcher(pattern));
+        }
+        
+        return this;
+    }
+    
+    /**
+     * {@inheritDoc}
+     */
+    public void setMatchers(List<ClassNameMatcher> matchers) {
+        acceptMatchers.clear();
+        
+        for (ClassNameMatcher matcher:matchers) {
+            acceptMatchers.add(matcher);
+        }
+    }
 }

mina-core/src/main/java/org/apache/mina/core/buffer/IoBuffer.java

@@ -35,8 +35,11 @@
 import java.nio.charset.CharsetDecoder;
 import java.nio.charset.CharsetEncoder;
 import java.util.EnumSet;
+import java.util.List;
 import java.util.Set;
+import java.util.regex.Pattern;
 
+import org.apache.mina.core.buffer.matcher.ClassNameMatcher;
 import org.apache.mina.core.session.IoSession;
 
 /**
@@ -2108,4 +2111,39 @@ public abstract IoBuffer putPrefixedString(CharSequence val, int prefixLength, i
      * @return the modified IoBuffer
      */
     public abstract <E extends Enum<E>> IoBuffer putEnumSetLong(int index, Set<E> set);
+    
+    /**
+     * Accept class names where the supplied ClassNameMatcher matches for
+     * deserialization, unless they are otherwise rejected.
+     *
+     * @param m the matcher to use
+     * @return this object
+     */
+    public abstract IoBuffer accept(ClassNameMatcher m);
+
+    /**
+     * Accept class names that match the supplied pattern for
+     * deserialization, unless they are otherwise rejected.
+     *
+     * @param pattern standard Java regexp
+     * @return this object
+     */
+    public abstract IoBuffer accept(Pattern pattern);
+
+    /**
+     * Accept the wildcard specified classes for deserialization,
+     * unless they are otherwise rejected.
+     *
+     * @param patterns Wildcard file name patterns as defined by
+     *                  {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}
+     * @return this object
+     */
+    public abstract IoBuffer accept(String... patterns);
+    
+    /**
+     * Set the list of class matchers for in incoming buffer
+     * 
+     * @param matchers The list of matchers
+     */
+    public abstract void setMatchers(List<ClassNameMatcher> matchers);
 }

mina-core/src/main/java/org/apache/mina/core/buffer/IoBufferWrapper.java

@@ -33,7 +33,13 @@
 import java.nio.charset.CharacterCodingException;
 import java.nio.charset.CharsetDecoder;
 import java.nio.charset.CharsetEncoder;
+import java.util.List;
 import java.util.Set;
+import java.util.regex.Pattern;
+
+import org.apache.mina.core.buffer.matcher.ClassNameMatcher;
+import org.apache.mina.core.buffer.matcher.RegexpClassNameMatcher;
+import org.apache.mina.core.buffer.matcher.WildcardClassNameMatcher;
 
 /**
  * A {@link IoBuffer} that wraps a buffer and proxies any operations to it.
@@ -1535,4 +1541,35 @@ public IoBuffer putUnsigned(int index, long value) {
         buf.putUnsigned(index, value);
         return this;
     }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(ClassNameMatcher m) {
+        return buf.accept(m);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(Pattern pattern) {
+        return buf.accept(pattern);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(String... patterns) {
+        return buf.accept(patterns);
+    }
+    
+    /**
+     * {@inheritDoc}
+     */
+    public void setMatchers(List<ClassNameMatcher> matchers) {
+        buf.setMatchers(matchers);
+    }
 }

mina-core/src/main/java/org/apache/mina/core/buffer/matcher/ClassNameMatcher.java

@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.mina.core.buffer.matcher;
+
+/**
+ * An object that matches a Class name to a condition.
+ */
+public interface ClassNameMatcher {
+    /**
+     * Returns {@code true} if the supplied class name matches this object's condition.
+     *
+     * @param className fully qualified class name
+     * @return {@code true} if the class name matches this object's condition
+     */
+    boolean matches(String className);
+}
+