+ class ConstrainedOIS extends ObjectInputStream {
+ public ConstrainedOIS(InputStream in) throws IOException {
+ super(in);
+ }
+
+ protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+ String name = desc.getName();
+ // Note: try to avoid adding more classes.
+ // LinkedHashMap is already more than enough for a DoS
+ if (!name.equals(ArrayList.class.getName()) &&
+ !name.equals(HashMap.class.getName()) &&
+ !name.equals(LinkedHashMap.class.getName()) &&
+ !name.equals(String.class.getName()) &&
+ !name.equals(DictionaryApplication.DictionaryConfig.class.getName()) &&
+ !name.equals(DictionaryInfo.class.getName()) &&
+ !name.equals(DictionaryInfo.IndexInfo.class.getName()))
+ {
+ throw new InvalidClassException("Not allowed to deserialize class", name);
+ }
+ return super.resolveClass(desc);
+ }
+ }
+