public class PersistentObjectCache {
private final File dir;
- private final Map<String, Object> objects = new HashMap<String, Object>();
+ private final Map<String, Object> objects = new HashMap<>();
class ConstrainedOIS extends ObjectInputStream {
- public ConstrainedOIS(InputStream in) throws IOException {
+ ConstrainedOIS(InputStream in) throws IOException {
super(in);
}
String name = desc.getName();
// Note: try to avoid adding more classes.
// LinkedHashMap is already more than enough for a DoS
- if (!name.equals(ArrayList.class.getName()) &&
- !name.equals(HashMap.class.getName()) &&
- !name.equals(LinkedHashMap.class.getName()) &&
- !name.equals(String.class.getName()) &&
- !name.equals(DictionaryApplication.DictionaryConfig.class.getName()) &&
- !name.equals(DictionaryInfo.class.getName()) &&
- !name.equals(DictionaryInfo.IndexInfo.class.getName())) {
- throw new InvalidClassException("Not allowed to deserialize class", name);
+ if (name.equals(String.class.getName()) ||
+ name.equals(DictionaryInfo.IndexInfo.class.getName()) ||
+ name.equals(ArrayList.class.getName()) ||
+ name.equals(HashMap.class.getName()) ||
+ name.equals(DictionaryInfo.class.getName()) ||
+ name.equals(DictionaryApplication.DictionaryConfig.class.getName()) ||
+ name.equals(LinkedHashMap.class.getName())) {
+ return super.resolveClass(desc);
}
- return super.resolveClass(desc);
+ throw new InvalidClassException("Not allowed to deserialize class", name);
}
}