问题描述
XStream的安全框架未初始化,XStream可能容易受到攻击
我一直收到红色的控制台错误使用XStream(1.4.10)
I keep getting this console error in red while using XStream (1.4.10)
我尝试了以下内容:
XStream .setupDefaultSecurity(xs);
和
xs.addPermission(AnyTypePermission.ANY);
xs.addPermission(NoTypePermission.NONE);
没有一个摆脱它。
我不需要任何花哨的安全设置,我只想沉默那个警告。也许还准备1.5.x的代码
I do not need any fancy security settings, I just want to silence that warning. Maybe also prepare the code for 1.5.x
推荐答案
在处理安全问题时,我不会掉以轻心。首先,人们会理解问题的严重性,这里有一个的起点。
Then find out how people recommend the solution. The good place to start is from xstream website itself. There is an example which you can use as a starting point on xstream security page.
这将是我的设置,它基本上允许你的大部分代码。
This would be my set up which basically allows most of your code.
XStream xstream = new XStream();
// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
// allow some basics
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypeHierarchy(Collection.class);
// allow any type from the same package
xstream.allowTypesByWildcard(new String[] {
"com.your.package.**"
});
然而,在深入了解他们的源代码之后,这是我的看法:
However, after diving more into their source code, this is my take:
XStream.setupDefaultSecurity(this); // to be removed after 1.5
xstream.allowTypesByWildcard(new String[] {
"com.your.package.**"
});
基本上,一旦升级到1.5,你只需要一行。
So essentially, you will need just one line once upgrading to 1.5.
请注意,您可能需要更多通配符以满足您的应用程序反序列化方案。这不是一个适合所有人的答案,而是一个很好的起点恕我直言。
Please note that you may need more wild cards to suit your application deserialization scenarios. This is not a one-size-fit-all answer but rather a good starting point IMHO.
这篇关于XStream的安全框架未初始化,XStream可能容易受到攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!