diff --git a/build/tmpl/text/changes.txt b/build/tmpl/text/changes.txt index 39c6a5dfe7..f965b2e72f 100644 --- a/build/tmpl/text/changes.txt +++ b/build/tmpl/text/changes.txt @@ -13,6 +13,8 @@ Changes log - Fixed issue #757 - Infinite Loop in Feed. - Fixed issue #753 - Date concurrency issue due to broken caching attempts. Reported by @effad. Solved by Robert Fischer and Tim Peierls. + - Fixed issue #774 - Removed default support of JavaBeans XML-serialization. + Reported by David Jorm, Dinis Cruz, Abraham Kang and alavaro Munoz. - Misc - Added log warning when an authentication scheme does not define a "realm" parameter. Reported by Loïc Oudot (#759). diff --git a/modules/org.restlet/src/org/restlet/engine/converter/DefaultConverter.java b/modules/org.restlet/src/org/restlet/engine/converter/DefaultConverter.java index 3455136629..3c97e6f700 100644 --- a/modules/org.restlet/src/org/restlet/engine/converter/DefaultConverter.java +++ b/modules/org.restlet/src/org/restlet/engine/converter/DefaultConverter.java @@ -78,6 +78,10 @@ public class DefaultConverter extends ConverterHelper { private static final VariantInfo VARIANT_OBJECT_XML = new VariantInfo( MediaType.APPLICATION_JAVA_OBJECT_XML); + /** Indicates whether the JavaBeans XML deserialization is supported or not. */ + private static final boolean VARIANT_OBJECT_XML_SUPPORTED = Boolean + .getBoolean("org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED"); + @Override public List> getObjectClasses(Variant source) { List> result = null; @@ -90,7 +94,8 @@ public List> getObjectClasses(Variant source) { MediaType mediaType = source.getMediaType(); if (MediaType.APPLICATION_JAVA_OBJECT.equals(mediaType) - || MediaType.APPLICATION_JAVA_OBJECT_XML.equals(mediaType)) { + || (VARIANT_OBJECT_XML_SUPPORTED && MediaType.APPLICATION_JAVA_OBJECT_XML + .equals(mediaType))) { result = addObjectClass(result, Object.class); } else if (MediaType.APPLICATION_WWW_FORM.equals(mediaType)) { result = addObjectClass(result, Form.class); @@ -123,7 +128,9 @@ public List getVariants(Class source) { result = addVariant(result, VARIANT_FORM); } else if (Serializable.class.isAssignableFrom(source)) { result = addVariant(result, VARIANT_OBJECT); - result = addVariant(result, VARIANT_OBJECT_XML); + if (VARIANT_OBJECT_XML_SUPPORTED) { + result = addVariant(result, VARIANT_OBJECT_XML); + } } } @@ -160,11 +167,13 @@ public float score(Object source, Variant target, Resource resource) { } else if (MediaType.APPLICATION_JAVA_OBJECT .isCompatible(target.getMediaType())) { result = 0.6F; - } else if (MediaType.APPLICATION_JAVA_OBJECT_XML.equals(target - .getMediaType())) { + } else if (VARIANT_OBJECT_XML_SUPPORTED + && MediaType.APPLICATION_JAVA_OBJECT_XML.equals(target + .getMediaType())) { result = 1.0F; - } else if (MediaType.APPLICATION_JAVA_OBJECT_XML - .isCompatible(target.getMediaType())) { + } else if (VARIANT_OBJECT_XML_SUPPORTED + && MediaType.APPLICATION_JAVA_OBJECT_XML + .isCompatible(target.getMediaType())) { result = 0.6F; } } else { @@ -216,11 +225,13 @@ public float score(Representation source, Class target, } else if (MediaType.APPLICATION_JAVA_OBJECT .isCompatible(source.getMediaType())) { result = 0.6F; - } else if (MediaType.APPLICATION_JAVA_OBJECT_XML.equals(source - .getMediaType())) { + } else if (VARIANT_OBJECT_XML_SUPPORTED + && MediaType.APPLICATION_JAVA_OBJECT_XML.equals(source + .getMediaType())) { result = 1.0F; - } else if (MediaType.APPLICATION_JAVA_OBJECT_XML - .isCompatible(source.getMediaType())) { + } else if (VARIANT_OBJECT_XML_SUPPORTED + && MediaType.APPLICATION_JAVA_OBJECT_XML + .isCompatible(source.getMediaType())) { result = 0.6F; } else { result = 0.5F; @@ -331,8 +342,10 @@ public void updatePreferences(List> preferences, } else if (Serializable.class.isAssignableFrom(entity)) { updatePreferences(preferences, MediaType.APPLICATION_JAVA_OBJECT, 1.0F); - updatePreferences(preferences, - MediaType.APPLICATION_JAVA_OBJECT_XML, 1.0F); + if (VARIANT_OBJECT_XML_SUPPORTED) { + updatePreferences(preferences, + MediaType.APPLICATION_JAVA_OBJECT_XML, 1.0F); + } } else if (String.class.isAssignableFrom(entity) || Reader.class.isAssignableFrom(entity)) { updatePreferences(preferences, MediaType.TEXT_PLAIN, 1.0F); diff --git a/modules/org.restlet/src/org/restlet/representation/ObjectRepresentation.java b/modules/org.restlet/src/org/restlet/representation/ObjectRepresentation.java index f46a02e874..2513cb7245 100644 --- a/modules/org.restlet/src/org/restlet/representation/ObjectRepresentation.java +++ b/modules/org.restlet/src/org/restlet/representation/ObjectRepresentation.java @@ -43,7 +43,26 @@ import org.restlet.data.MediaType; /** - * Representation based on a serializable Java object. + * Representation based on a serializable Java object.
+ * It supports binary representations of JavaBeans using the + * {@link ObjectInputStream} and {@link ObjectOutputStream} classes. In this + * case, it handles representations having the following media type: + * {@link MediaType#APPLICATION_JAVA_OBJECT} + * ("application/x-java-serialized-object"). It also supports textual + * representations of JavaBeans using the {@link XMLEncoder} and + * {@link XMLDecoder} classes. In this case, it handles representations having + * the following media type: {@link MediaType#APPLICATION_JAVA_OBJECT_XML} + * ("application/x-java-serialized-object+xml"). + * + * SECURITY WARNING: The usage of {@link XMLDecoder} when deserializing XML + * presentations from unstrusted sources can lead to malicious attacks. As + * pointed here , the {@link XMLDecoder} is able to force the JVM to execute + * unwanted Java code described inside the XML file. Thus, the support of such + * format has been disactivated by default inside the default converter. You can + * activate this support by turning on the following system property: + * org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED. * * @author Jerome Louvel * @param