import com.hughes.android.dictionary.DictionaryApplication;
import com.hughes.android.dictionary.DictionaryInfo;
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
public class PersistentObjectCache {
private final File dir;
- private final Map<String, Object> objects = new HashMap<String, Object>();
+ private final Map<String, Object> objects = new HashMap<>();
class ConstrainedOIS extends ObjectInputStream {
- public ConstrainedOIS(InputStream in) throws IOException {
+ ConstrainedOIS(InputStream in) throws IOException {
super(in);
}
String name = desc.getName();
// Note: try to avoid adding more classes.
// LinkedHashMap is already more than enough for a DoS
- if (!name.equals(ArrayList.class.getName()) &&
- !name.equals(HashMap.class.getName()) &&
- !name.equals(LinkedHashMap.class.getName()) &&
- !name.equals(String.class.getName()) &&
- !name.equals(DictionaryApplication.DictionaryConfig.class.getName()) &&
- !name.equals(DictionaryInfo.class.getName()) &&
- !name.equals(DictionaryInfo.IndexInfo.class.getName())) {
- throw new InvalidClassException("Not allowed to deserialize class", name);
+ if (name.equals(String.class.getName()) ||
+ name.equals(DictionaryInfo.IndexInfo.class.getName()) ||
+ name.equals(ArrayList.class.getName()) ||
+ name.equals(HashMap.class.getName()) ||
+ name.equals(DictionaryInfo.class.getName()) ||
+ name.equals(DictionaryApplication.DictionaryConfig.class.getName()) ||
+ name.equals(LinkedHashMap.class.getName())) {
+ return super.resolveClass(desc);
}
- return super.resolveClass(desc);
+ throw new InvalidClassException("Not allowed to deserialize class", name);
}
}
public synchronized <T extends Serializable> T read(final String filename, final Class<T> resultClass) {
try {
- Object object = (objects.get(filename));
+ Object object = objects.get(filename);
if (object != null) {
return resultClass.cast(object);
}
}
ObjectInputStream in = null;
try {
- in = new ConstrainedOIS(new FileInputStream(src));
+ in = new ConstrainedOIS(new BufferedInputStream(new FileInputStream(src)));
object = in.readObject();
in.close();
} catch (Exception e) {
Log.e(getClass().getSimpleName(), "Deserialization failed: " + src, e);
try {
if (in != null) in.close();
- } catch (IOException e2) {}
+ } catch (IOException ignored) {}
return null;
}
objects.put(filename, object);
final File dest = new File(dir, filename);
ObjectOutputStream out = null;
try {
- out = new ObjectOutputStream(new FileOutputStream(dest));
+ out = new ObjectOutputStream(new BufferedOutputStream(new FileOutputStream(dest)));
out.writeObject(object);
} catch (Exception e) {
Log.e(getClass().getSimpleName(), "Serialization failed: " + dest, e);
}
try {
if (out != null) out.close();
- } catch (IOException e) {}
+ } catch (IOException ignored) {}
}
private PersistentObjectCache(final Context context) {