...
| Code Block | ||||
|---|---|---|---|---|
| ||||
import java.io.*;
interface Whitelist {
public boolean hascontains(String className);
}
class WhitelistedObjectInputStream extends ObjectInputStream {
Whitelist whitelist;
public WhitelistedObjectInputStream(InputStream inputStream) throws IOException {
super(inputStream);
}
public void setWhitelist(Whitelist wl) {
whitelist = wl;
}
}
class OpenedFile implements Serializable {
public String filename;
public BufferedReader reader;
public OpenedFile(String _filename) throws FileNotFoundException {
filename = _filename;
init();
}
private void init() throws FileNotFoundException {
reader = new BufferedReader(new FileReader(filename));
}
private void writeObject(ObjectOutputStream out) throws IOException {
out.writeUTF(filename);
}
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
boolean isWhitelisted = ((in instanceof WhitelistedObjectInputStream) &&
((WhitelistedObjectInputStream) in).whitelist.hascontains(this.getClass().getName()));
if (!isWhitelisted) {
throw new SecurityException("Attempted to deserialize unexpected class.");
}
filename = in.readUTF();
init();
}
} |
...