From a9026d2b4b54d200b21741542aeadd92f094e6e2 Mon Sep 17 00:00:00 2001 From: duanhongyi Date: Fri, 8 May 2020 21:28:09 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8Djava9=E5=8F=8A=E4=BB=A5?= =?UTF-8?q?=E4=B8=8A=E7=89=88=E6=9C=AC=E9=9D=9E=E6=B3=95=E5=8F=8D=E5=B0=84?= =?UTF-8?q?=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../common/util/xml/XStreamInitializer.java | 37 ++++++++++++++++--- 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java index 639fcf08d1..5fd7ceb2cb 100644 --- a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java +++ b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java @@ -1,13 +1,18 @@ package me.chanjar.weixin.common.util.xml; -import java.io.Writer; - import com.thoughtworks.xstream.XStream; +import com.thoughtworks.xstream.converters.basic.*; +import com.thoughtworks.xstream.converters.collections.CollectionConverter; import com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider; +import com.thoughtworks.xstream.converters.reflection.ReflectionConverter; import com.thoughtworks.xstream.core.util.QuickWriter; import com.thoughtworks.xstream.io.HierarchicalStreamWriter; import com.thoughtworks.xstream.io.xml.PrettyPrintWriter; import com.thoughtworks.xstream.io.xml.XppDriver; +import com.thoughtworks.xstream.security.NoTypePermission; +import com.thoughtworks.xstream.security.WildcardTypePermission; + +import java.io.Writer; public class XStreamInitializer { private static final XppDriver XPP_DRIVER = new XppDriver() { @@ -41,14 +46,34 @@ public String encodeNode(String name) { }; public static XStream getInstance() { - XStream xstream = new XStream(new PureJavaReflectionProvider(), XPP_DRIVER); + XStream xstream = new XStream(new PureJavaReflectionProvider(), XPP_DRIVER) { + // only register the converters we need; other converters generate a private access warning in the console on Java9+... + @Override + protected void setupConverters() { + registerConverter(new NullConverter(), PRIORITY_VERY_HIGH); + registerConverter(new IntConverter(), PRIORITY_NORMAL); + registerConverter(new FloatConverter(), PRIORITY_NORMAL); + registerConverter(new DoubleConverter(), PRIORITY_NORMAL); + registerConverter(new LongConverter(), PRIORITY_NORMAL); + registerConverter(new ShortConverter(), PRIORITY_NORMAL); + registerConverter(new BooleanConverter(), PRIORITY_NORMAL); + registerConverter(new ByteConverter(), PRIORITY_NORMAL); + registerConverter(new StringConverter(), PRIORITY_NORMAL); + registerConverter(new DateConverter(), PRIORITY_NORMAL); + registerConverter(new CollectionConverter(getMapper()), PRIORITY_NORMAL); + registerConverter(new ReflectionConverter(getMapper(), getReflectionProvider()), PRIORITY_VERY_LOW); + } + }; xstream.ignoreUnknownElements(); xstream.setMode(XStream.NO_REFERENCES); XStream.setupDefaultSecurity(xstream); - xstream.allowTypesByWildcard(new String[]{ - "me.chanjar.weixin.**", "cn.binarywang.wx.**", "com.github.binarywang.**" - }); + xstream.autodetectAnnotations(true); + // setup proper security by limiting which classes can be loaded by XStream + xstream.addPermission(NoTypePermission.NONE); + xstream.addPermission(new WildcardTypePermission(new String[]{ + "me.chanjar.weixin.**", "cn.binarywang.wx.**", "com.github.binarywang.**" + })); xstream.setClassLoader(Thread.currentThread().getContextClassLoader()); return xstream; }