Commit cc044978 authored by Jamin Collins's avatar Jamin Collins

configure XStream security for GauntletIO

Catching the ConversionException prevents Gauntlet saves from being
deleted in the event of improper or incomplete security settings on
XStream.  The null check in CSubmenuGauntletContests avoids an exception
should there be no Gauntlet saves.
Signed-off-by: Jamin Collins's avatarJamin W. Collins <jamin.collins@gmail.com>
parent b56b90ec
......@@ -67,10 +67,12 @@ public enum CSubmenuGauntletContests implements ICDoc {
private void updateData() {
final File[] files = GauntletIO.getGauntletFilesLocked();
final List<GauntletData> data = new ArrayList<GauntletData>();
for (final File f : files) {
final GauntletData gd = GauntletIO.loadGauntlet(f);
if (gd != null) {
data.add(gd);
if (files != null) {
for (final File f : files) {
final GauntletData gd = GauntletIO.loadGauntlet(f);
if (gd != null) {
data.add(gd);
}
}
}
......
......@@ -7,10 +7,22 @@ import java.io.FileOutputStream;
import java.io.FilenameFilter;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.ArrayList;
import java.util.EnumMap;
import java.util.List;
import java.util.Map.Entry;
import java.util.SortedSet;
import java.util.TreeMap;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;
import com.thoughtworks.xstream.converters.ConversionException;
import com.thoughtworks.xstream.security.NoTypePermission;
import com.thoughtworks.xstream.security.NullPermission;
import com.thoughtworks.xstream.security.PrimitiveTypePermission;
import forge.deck.Deck;
import forge.deck.DeckSection;
import forge.error.BugReporter;
import org.apache.commons.lang3.StringUtils;
import com.thoughtworks.xstream.XStream;
......@@ -40,6 +52,25 @@ public class GauntletIO {
protected static XStream getSerializer(final boolean isIgnoring) {
final XStream xStream = isIgnoring ? new IgnoringXStream() : new XStream();
// clear out existing permissions and set our own
xStream.addPermission(NoTypePermission.NONE);
// allow some basics
xStream.addPermission(NullPermission.NULL);
xStream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xStream.allowTypeHierarchy(String.class);
xStream.allowTypeHierarchy(EnumMap.class);
xStream.allowTypeHierarchy(ArrayList.class);
xStream.allowTypeHierarchy(CardPool.class);
xStream.allowTypeHierarchy(SortedSet.class);
xStream.allowTypeHierarchy(Deck.class);
xStream.allowTypeHierarchy(TreeMap.class);
xStream.allowTypeHierarchy(List.class);
xStream.allowTypeHierarchy(DeckSection.class);
// allow any type from the same package
xStream.allowTypesByWildcard(new String[] {
GauntletIO.class.getPackage().getName()+".*",
String.class.getPackage().getName()+".*"
});
xStream.registerConverter(new DeckSectionToXml());
xStream.autodetectAnnotations(true);
return xStream;
......@@ -93,6 +124,9 @@ public class GauntletIO {
catch (final IOException e) {
e.printStackTrace();
}
catch (final ConversionException e) {
BugReporter.reportException(e);
}
catch (final Exception e) { //if there's a non-IO exception, delete the corrupt file
e.printStackTrace();
isCorrupt = true;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment