external-repos/forge
1
0
Fork 0
mirror of https://github.com/Card-Forge/forge.git synced 2025-11-15 18:28:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

configure XStream security for QuestDataIO

Browse Source 
The printing of the exception caught in FControl is very helpful for any
future issues caused by the security settings as it indicates which
class was present in the stream, but not allowed.

Signed-off-by: Jamin W. Collins <jamin.collins@gmail.com>
This commit is contained in:
Jamin W. Collins
2018-08-18 10:31:22 -06:00
parent efcee72780
commit 19be7f51ae
3 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
forge-gui-desktop/src/main/java/forge/control/FControl.java
View File

@@ -234,6 +234,7 @@ public enum FControl implements KeyEventDispatcher {
try { try {
FModel.getQuest().load(QuestDataIO.loadData(data)); FModel.getQuest().load(QuestDataIO.loadData(data));
} catch(IOException ex) { } catch(IOException ex) {
ex.printStackTrace();
System.out.println(String.format("Error loading quest data (%s).. skipping for now..", questname)); System.out.println(String.format("Error loading quest data (%s).. skipping for now..", questname));
} }
} }

1
forge-gui-desktop/src/main/java/forge/screens/home/quest/CSubmenuQuestData.java
View File

@@ -184,6 +184,7 @@ public enum CSubmenuQuestData implements ICDoc {
System.out.println(String.format("About to load quest (%s)... ", f.getName())); System.out.println(String.format("About to load quest (%s)... ", f.getName()));
arrQuests.put(f.getName(), QuestDataIO.loadData(f)); arrQuests.put(f.getName(), QuestDataIO.loadData(f));
} catch(IOException ex) { } catch(IOException ex) {
ex.printStackTrace();
System.out.println(String.format("Error loading quest data (%s).. skipping for now..", f.getName())); System.out.println(String.format("Error loading quest data (%s).. skipping for now..", f.getName()));
restorableQuests.add(f.getName()); restorableQuests.add(f.getName());
} }

20
forge-gui/src/main/java/forge/quest/io/QuestDataIO.java
View File

@@ -17,6 +17,9 @@
*/ */
package forge.quest.io; package forge.quest.io;
import com.thoughtworks.xstream.security.NoTypePermission;
import com.thoughtworks.xstream.security.NullPermission;
import com.thoughtworks.xstream.security.PrimitiveTypePermission;
import forge.quest.data.QuestPreferences.QPref; import forge.quest.data.QuestPreferences.QPref;
import com.thoughtworks.xstream.XStream; import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.converters.Converter; import com.thoughtworks.xstream.converters.Converter;
@@ -78,6 +81,23 @@ public class QuestDataIO {
*/ */
protected static XStream getSerializer(final boolean isIgnoring) { protected static XStream getSerializer(final boolean isIgnoring) {
final XStream xStream = isIgnoring ? new IgnoringXStream() : new XStream(); final XStream xStream = isIgnoring ? new IgnoringXStream() : new XStream();
// clear out existing permissions and set our own
xStream.addPermission(NoTypePermission.NONE);
// allow some basics
xStream.addPermission(NullPermission.NULL);
xStream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xStream.allowTypeHierarchy(String.class);
xStream.allowTypeHierarchy(QuestData.class);
xStream.allowTypeHierarchy(HashMap.class);
xStream.allowTypeHierarchy(Deck.class);
xStream.allowTypeHierarchy(DeckGroup.class);
xStream.allowTypeHierarchy(EnumMap.class);
xStream.allowTypeHierarchy(QuestItemType.class);
// allow any type from the same package
xStream.allowTypesByWildcard(new String[] {
QuestDataIO.class.getPackage().getName()+".*",
"forge.quest.data.*"
});
xStream.registerConverter(new ItemPoolToXml()); xStream.registerConverter(new ItemPoolToXml());
xStream.registerConverter(new DeckToXml()); xStream.registerConverter(new DeckToXml());
xStream.registerConverter(new DraftTournamentToXml()); xStream.registerConverter(new DraftTournamentToXml());