Fixed issue #774 - Removed default support of JavaBeans XML-serializa…

…tion. Reported by David Jorm, Dinis Cruz, Abraham Kang and alavaro Munoz.

build/tmpl/text/changes.txt

@@ -13,6 +13,8 @@ Changes log
       - Fixed issue #757 - Infinite Loop in Feed.
       - Fixed issue #753 - Date concurrency issue due to broken caching attempts. 
         Reported by @effad. Solved by Robert Fischer and Tim Peierls.
+      - Fixed issue #774 - Removed default support of JavaBeans XML-serialization.
+        Reported by David Jorm, Dinis Cruz, Abraham Kang and alavaro Munoz. 
     - Misc
        - Added log warning when an authentication scheme does not define a "realm" parameter.
          Reported by Loïc Oudot (#759).

modules/org.restlet/src/org/restlet/engine/converter/DefaultConverter.java

@@ -78,6 +78,10 @@ public class DefaultConverter extends ConverterHelper {
     private static final VariantInfo VARIANT_OBJECT_XML = new VariantInfo(
             MediaType.APPLICATION_JAVA_OBJECT_XML);
 
+    /** Indicates whether the JavaBeans XML deserialization is supported or not. */
+    private static final boolean VARIANT_OBJECT_XML_SUPPORTED = Boolean
+            .getBoolean("org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED");
+
     @Override
     public List<Class<?>> getObjectClasses(Variant source) {
         List<Class<?>> result = null;
@@ -90,7 +94,8 @@ public List<Class<?>> getObjectClasses(Variant source) {
             MediaType mediaType = source.getMediaType();
 
             if (MediaType.APPLICATION_JAVA_OBJECT.equals(mediaType)
-                    || MediaType.APPLICATION_JAVA_OBJECT_XML.equals(mediaType)) {
+                    || (VARIANT_OBJECT_XML_SUPPORTED && MediaType.APPLICATION_JAVA_OBJECT_XML
+                            .equals(mediaType))) {
                 result = addObjectClass(result, Object.class);
             } else if (MediaType.APPLICATION_WWW_FORM.equals(mediaType)) {
                 result = addObjectClass(result, Form.class);
@@ -123,7 +128,9 @@ public List<VariantInfo> getVariants(Class<?> source) {
                 result = addVariant(result, VARIANT_FORM);
             } else if (Serializable.class.isAssignableFrom(source)) {
                 result = addVariant(result, VARIANT_OBJECT);
-                result = addVariant(result, VARIANT_OBJECT_XML);
+                if (VARIANT_OBJECT_XML_SUPPORTED) {
+                    result = addVariant(result, VARIANT_OBJECT_XML);
+                }
             }
         }
 
@@ -160,11 +167,13 @@ public float score(Object source, Variant target, Resource resource) {
                 } else if (MediaType.APPLICATION_JAVA_OBJECT
                         .isCompatible(target.getMediaType())) {
                     result = 0.6F;
-                } else if (MediaType.APPLICATION_JAVA_OBJECT_XML.equals(target
-                        .getMediaType())) {
+                } else if (VARIANT_OBJECT_XML_SUPPORTED
+                        && MediaType.APPLICATION_JAVA_OBJECT_XML.equals(target
+                                .getMediaType())) {
                     result = 1.0F;
-                } else if (MediaType.APPLICATION_JAVA_OBJECT_XML
-                        .isCompatible(target.getMediaType())) {
+                } else if (VARIANT_OBJECT_XML_SUPPORTED
+                        && MediaType.APPLICATION_JAVA_OBJECT_XML
+                                .isCompatible(target.getMediaType())) {
                     result = 0.6F;
                 }
             } else {
@@ -216,11 +225,13 @@ public <T> float score(Representation source, Class<T> target,
                 } else if (MediaType.APPLICATION_JAVA_OBJECT
                         .isCompatible(source.getMediaType())) {
                     result = 0.6F;
-                } else if (MediaType.APPLICATION_JAVA_OBJECT_XML.equals(source
-                        .getMediaType())) {
+                } else if (VARIANT_OBJECT_XML_SUPPORTED
+                        && MediaType.APPLICATION_JAVA_OBJECT_XML.equals(source
+                                .getMediaType())) {
                     result = 1.0F;
-                } else if (MediaType.APPLICATION_JAVA_OBJECT_XML
-                        .isCompatible(source.getMediaType())) {
+                } else if (VARIANT_OBJECT_XML_SUPPORTED
+                        && MediaType.APPLICATION_JAVA_OBJECT_XML
+                                .isCompatible(source.getMediaType())) {
                     result = 0.6F;
                 } else {
                     result = 0.5F;
@@ -331,8 +342,10 @@ public <T> void updatePreferences(List<Preference<MediaType>> preferences,
         } else if (Serializable.class.isAssignableFrom(entity)) {
             updatePreferences(preferences, MediaType.APPLICATION_JAVA_OBJECT,
                     1.0F);
-            updatePreferences(preferences,
-                    MediaType.APPLICATION_JAVA_OBJECT_XML, 1.0F);
+            if (VARIANT_OBJECT_XML_SUPPORTED) {
+                updatePreferences(preferences,
+                        MediaType.APPLICATION_JAVA_OBJECT_XML, 1.0F);
+            }
         } else if (String.class.isAssignableFrom(entity)
                 || Reader.class.isAssignableFrom(entity)) {
             updatePreferences(preferences, MediaType.TEXT_PLAIN, 1.0F);

modules/org.restlet/src/org/restlet/representation/ObjectRepresentation.java

@@ -43,7 +43,26 @@
 import org.restlet.data.MediaType;
 
 /**
- * Representation based on a serializable Java object.
+ * Representation based on a serializable Java object.<br>
+ * It supports binary representations of JavaBeans using the
+ * {@link ObjectInputStream} and {@link ObjectOutputStream} classes. In this
+ * case, it handles representations having the following media type:
+ * {@link MediaType#APPLICATION_JAVA_OBJECT}
+ * ("application/x-java-serialized-object"). It also supports textual
+ * representations of JavaBeans using the {@link XMLEncoder} and
+ * {@link XMLDecoder} classes. In this case, it handles representations having
+ * the following media type: {@link MediaType#APPLICATION_JAVA_OBJECT_XML}
+ * ("application/x-java-serialized-object+xml").
+ * 
+ * SECURITY WARNING: The usage of {@link XMLDecoder} when deserializing XML
+ * presentations from unstrusted sources can lead to malicious attacks. As
+ * pointed <a href=
+ * "http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html"
+ * >here</a> , the {@link XMLDecoder} is able to force the JVM to execute
+ * unwanted Java code described inside the XML file. Thus, the support of such
+ * format has been disactivated by default inside the default converter. You can
+ * activate this support by turning on the following system property:
+ * org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED.
  * 
  * @author Jerome Louvel
  * @param <T>