From 19be7f51ae81adc171e60fa3ddb52c07d1e74a1c Mon Sep 17 00:00:00 2001 From: "Jamin W. Collins" Date: Sat, 18 Aug 2018 10:31:22 -0600 Subject: [PATCH] configure XStream security for QuestDataIO The printing of the exception caught in FControl is very helpful for any future issues caused by the security settings as it indicates which class was present in the stream, but not allowed. Signed-off-by: Jamin W. Collins --- .../src/main/java/forge/control/FControl.java | 1 + .../screens/home/quest/CSubmenuQuestData.java | 1 + .../main/java/forge/quest/io/QuestDataIO.java | 20 +++++++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/forge-gui-desktop/src/main/java/forge/control/FControl.java b/forge-gui-desktop/src/main/java/forge/control/FControl.java index 9ef9c2d1ecd..d603c960e6c 100644 --- a/forge-gui-desktop/src/main/java/forge/control/FControl.java +++ b/forge-gui-desktop/src/main/java/forge/control/FControl.java @@ -234,6 +234,7 @@ public enum FControl implements KeyEventDispatcher { try { FModel.getQuest().load(QuestDataIO.loadData(data)); } catch(IOException ex) { + ex.printStackTrace(); System.out.println(String.format("Error loading quest data (%s).. skipping for now..", questname)); } } diff --git a/forge-gui-desktop/src/main/java/forge/screens/home/quest/CSubmenuQuestData.java b/forge-gui-desktop/src/main/java/forge/screens/home/quest/CSubmenuQuestData.java index 7d4568af413..131805b738b 100644 --- a/forge-gui-desktop/src/main/java/forge/screens/home/quest/CSubmenuQuestData.java +++ b/forge-gui-desktop/src/main/java/forge/screens/home/quest/CSubmenuQuestData.java @@ -184,6 +184,7 @@ public enum CSubmenuQuestData implements ICDoc { System.out.println(String.format("About to load quest (%s)... ", f.getName())); arrQuests.put(f.getName(), QuestDataIO.loadData(f)); } catch(IOException ex) { + ex.printStackTrace(); System.out.println(String.format("Error loading quest data (%s).. skipping for now..", f.getName())); restorableQuests.add(f.getName()); } diff --git a/forge-gui/src/main/java/forge/quest/io/QuestDataIO.java b/forge-gui/src/main/java/forge/quest/io/QuestDataIO.java index 0eab4ba4ef7..de680502e37 100644 --- a/forge-gui/src/main/java/forge/quest/io/QuestDataIO.java +++ b/forge-gui/src/main/java/forge/quest/io/QuestDataIO.java @@ -17,6 +17,9 @@ */ package forge.quest.io; +import com.thoughtworks.xstream.security.NoTypePermission; +import com.thoughtworks.xstream.security.NullPermission; +import com.thoughtworks.xstream.security.PrimitiveTypePermission; import forge.quest.data.QuestPreferences.QPref; import com.thoughtworks.xstream.XStream; import com.thoughtworks.xstream.converters.Converter; @@ -78,6 +81,23 @@ public class QuestDataIO { */ protected static XStream getSerializer(final boolean isIgnoring) { final XStream xStream = isIgnoring ? new IgnoringXStream() : new XStream(); + // clear out existing permissions and set our own + xStream.addPermission(NoTypePermission.NONE); + // allow some basics + xStream.addPermission(NullPermission.NULL); + xStream.addPermission(PrimitiveTypePermission.PRIMITIVES); + xStream.allowTypeHierarchy(String.class); + xStream.allowTypeHierarchy(QuestData.class); + xStream.allowTypeHierarchy(HashMap.class); + xStream.allowTypeHierarchy(Deck.class); + xStream.allowTypeHierarchy(DeckGroup.class); + xStream.allowTypeHierarchy(EnumMap.class); + xStream.allowTypeHierarchy(QuestItemType.class); + // allow any type from the same package + xStream.allowTypesByWildcard(new String[] { + QuestDataIO.class.getPackage().getName()+".*", + "forge.quest.data.*" + }); xStream.registerConverter(new ItemPoolToXml()); xStream.registerConverter(new DeckToXml()); xStream.registerConverter(new DraftTournamentToXml());