From 9b6f76eb169134c272146e2cd024cf0dffbf25c9 Mon Sep 17 00:00:00 2001 From: "Jamin W. Collins" Date: Sat, 18 Aug 2018 10:12:24 -0600 Subject: [PATCH] configure XStream security for TournamentIO Signed-off-by: Jamin W. Collins --- .../main/java/forge/tournament/TournamentIO.java | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/forge-gui/src/main/java/forge/tournament/TournamentIO.java b/forge-gui/src/main/java/forge/tournament/TournamentIO.java index 3fb6249e036..d005efc38bf 100644 --- a/forge-gui/src/main/java/forge/tournament/TournamentIO.java +++ b/forge-gui/src/main/java/forge/tournament/TournamentIO.java @@ -6,6 +6,9 @@ import com.thoughtworks.xstream.converters.MarshallingContext; import com.thoughtworks.xstream.converters.UnmarshallingContext; import com.thoughtworks.xstream.io.HierarchicalStreamReader; import com.thoughtworks.xstream.io.HierarchicalStreamWriter; +import com.thoughtworks.xstream.security.NoTypePermission; +import com.thoughtworks.xstream.security.NullPermission; +import com.thoughtworks.xstream.security.PrimitiveTypePermission; import forge.deck.CardPool; import forge.item.PaperCard; import forge.model.FModel; @@ -32,6 +35,16 @@ public class TournamentIO { protected static XStream getSerializer(final boolean isIgnoring) { final XStream xStream = isIgnoring ? new IgnoringXStream() : new XStream(); + // clear out existing permissions and set our own + xStream.addPermission(NoTypePermission.NONE); + // allow some basics + xStream.addPermission(NullPermission.NULL); + xStream.addPermission(PrimitiveTypePermission.PRIMITIVES); + xStream.allowTypeHierarchy(String.class); + // allow any type from the same package + xStream.allowTypesByWildcard(new String[] { + TournamentIO.class.getPackage().getName()+".*" + }); xStream.registerConverter(new DeckSectionToXml()); xStream.autodetectAnnotations(true); return xStream;