Commit 19be7f51 authored by Jamin Collins's avatar Jamin Collins

configure XStream security for QuestDataIO

The printing of the exception caught in FControl is very helpful for any
future issues caused by the security settings as it indicates which
class was present in the stream, but not allowed.
Signed-off-by: Jamin Collins's avatarJamin W. Collins <jamin.collins@gmail.com>
parent efcee727
......@@ -234,6 +234,7 @@ public enum FControl implements KeyEventDispatcher {
try {
FModel.getQuest().load(QuestDataIO.loadData(data));
} catch(IOException ex) {
ex.printStackTrace();
System.out.println(String.format("Error loading quest data (%s).. skipping for now..", questname));
}
}
......
......@@ -184,6 +184,7 @@ public enum CSubmenuQuestData implements ICDoc {
System.out.println(String.format("About to load quest (%s)... ", f.getName()));
arrQuests.put(f.getName(), QuestDataIO.loadData(f));
} catch(IOException ex) {
ex.printStackTrace();
System.out.println(String.format("Error loading quest data (%s).. skipping for now..", f.getName()));
restorableQuests.add(f.getName());
}
......
......@@ -17,6 +17,9 @@
*/
package forge.quest.io;
import com.thoughtworks.xstream.security.NoTypePermission;
import com.thoughtworks.xstream.security.NullPermission;
import com.thoughtworks.xstream.security.PrimitiveTypePermission;
import forge.quest.data.QuestPreferences.QPref;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.converters.Converter;
......@@ -78,6 +81,23 @@ public class QuestDataIO {
*/
protected static XStream getSerializer(final boolean isIgnoring) {
final XStream xStream = isIgnoring ? new IgnoringXStream() : new XStream();
// clear out existing permissions and set our own
xStream.addPermission(NoTypePermission.NONE);
// allow some basics
xStream.addPermission(NullPermission.NULL);
xStream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xStream.allowTypeHierarchy(String.class);
xStream.allowTypeHierarchy(QuestData.class);
xStream.allowTypeHierarchy(HashMap.class);
xStream.allowTypeHierarchy(Deck.class);
xStream.allowTypeHierarchy(DeckGroup.class);
xStream.allowTypeHierarchy(EnumMap.class);
xStream.allowTypeHierarchy(QuestItemType.class);
// allow any type from the same package
xStream.allowTypesByWildcard(new String[] {
QuestDataIO.class.getPackage().getName()+".*",
"forge.quest.data.*"
});
xStream.registerConverter(new ItemPoolToXml());
xStream.registerConverter(new DeckToXml());
xStream.registerConverter(new DraftTournamentToXml());
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment