diff --git a/pippo-content-type-parent/pippo-xstream/src/main/java/ro/pippo/xstream/XstreamEngine.java b/pippo-content-type-parent/pippo-xstream/src/main/java/ro/pippo/xstream/XstreamEngine.java index cecfeb6ad..39f2ce2c9 100644 --- a/pippo-content-type-parent/pippo-xstream/src/main/java/ro/pippo/xstream/XstreamEngine.java +++ b/pippo-content-type-parent/pippo-xstream/src/main/java/ro/pippo/xstream/XstreamEngine.java @@ -15,13 +15,17 @@ */ package ro.pippo.xstream; -import com.thoughtworks.xstream.XStream; +import com.thoughtworks.xstream.security.NoTypePermission; import org.kohsuke.MetaInfServices; import ro.pippo.core.Application; import ro.pippo.core.ContentTypeEngine; import ro.pippo.core.HttpConstants; + +import com.thoughtworks.xstream.XStream; import ro.pippo.core.util.WhitelistObjectInputStream; +import java.util.regex.Pattern; + /** * An XmlEngine based on XStream. * @@ -41,17 +45,17 @@ public String getContentType() { private XStream xstream() { XStream xstream = new XStream(); - // allow annotations on models for maximum flexibility xstream.autodetectAnnotations(true); - // prevent xstream from creating complex XML graphs xstream.setMode(XStream.NO_REFERENCES); - // setup security (see http://x-stream.github.io/security.html) - xstream.allowTypes(WhitelistObjectInputStream.getWhiteClassNames()); - xstream.allowTypesByRegExp(WhitelistObjectInputStream.getWhiteRegEx()); + // clear out existing permissions and set own ones + xstream.addPermission(NoTypePermission.NONE); + //setup security + xstream.allowTypes((String[]) WhitelistObjectInputStream.getWhitelistedClassNames().toArray()); + xstream.allowTypesByRegExp((Pattern[]) WhitelistObjectInputStream.getWhitelistedRegExp().toArray()); return xstream; } @@ -60,7 +64,6 @@ public String toString(Object object) { return xstream().toXML(object); } - @SuppressWarnings("unchecked") @Override public T fromString(String content, Class classOfT) { return (T) xstream().fromXML(content);