X-Git-Url: http://gitweb.fperrin.net/?a=blobdiff_plain;f=src%2Fcom%2Fhughes%2Fandroid%2Futil%2FPersistentObjectCache.java;fp=src%2Fcom%2Fhughes%2Fandroid%2Futil%2FPersistentObjectCache.java;h=56c546e9d5a869da25e712e6a4e8897c718d6c2c;hb=a3086cfc95ca651d283ab639b1ace0b0ecc90ea3;hp=150e3e6d75b545b4d22e937eaf427d84471acf0b;hpb=abe2c6e24d103386b4ac0af29c9374760a3b3284;p=Dictionary.git

diff --git a/src/com/hughes/android/util/PersistentObjectCache.java b/src/com/hughes/android/util/PersistentObjectCache.java
index 150e3e6..56c546e 100644
--- a/src/com/hughes/android/util/PersistentObjectCache.java
+++ b/src/com/hughes/android/util/PersistentObjectCache.java
@@ -18,12 +18,21 @@ import android.content.Context;
 import android.os.Environment;
 import android.util.Log;
 
+import com.hughes.android.dictionary.DictionaryApplication;
+import com.hughes.android.dictionary.DictionaryInfo;
+
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
+import java.io.ObjectStreamClass;
 import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.Map;
 
@@ -32,6 +41,29 @@ public class PersistentObjectCache {
     private final File dir;
     private final Map<String, Object> objects = new LinkedHashMap<String, Object>();
 
+    class ConstrainedOIS extends ObjectInputStream {
+      public ConstrainedOIS(InputStream in) throws IOException {
+        super(in);
+      }
+
+      protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+        String name = desc.getName();
+        // Note: try to avoid adding more classes.
+        // LinkedHashMap is already more than enough for a DoS
+        if (!name.equals(ArrayList.class.getName()) &&
+            !name.equals(HashMap.class.getName()) &&
+            !name.equals(LinkedHashMap.class.getName()) &&
+            !name.equals(String.class.getName()) &&
+            !name.equals(DictionaryApplication.DictionaryConfig.class.getName()) &&
+            !name.equals(DictionaryInfo.class.getName()) &&
+            !name.equals(DictionaryInfo.IndexInfo.class.getName()))
+        {
+          throw new InvalidClassException("Not allowed to deserialize class", name);
+        }
+        return super.resolveClass(desc);
+      }
+    }
+
     public synchronized <T extends Serializable> T read(final String filename, final Class<T> resultClass) {
         try {
             Object object = (objects.get(filename));
@@ -45,7 +77,7 @@ public class PersistentObjectCache {
                 return null;
             }
             try {
-                final ObjectInputStream in = new ObjectInputStream(new FileInputStream(src));
+                final ObjectInputStream in = new ConstrainedOIS(new FileInputStream(src));
                 object = in.readObject();
                 in.close();
             } catch (Exception e) {