June 2013 - richfaces-svn-commits

JBoss Rich Faces SVN: r23243 - in branches/enterprise/3.3.1.SP3_test_patch/ui: scrollableDataTable/src/main/javascript/ClientUI/common/box and 2 other directories.

by richfaces-svn-commits＠lists.jboss.org

Author: ivassile Date: 2013-06-28 13:52:42 -0400 (Fri, 28 Jun 2013) New Revision: 23243 Modified: branches/enterprise/3.3.1.SP3_test_patch/ui/extendedDataTable/src/main/javascript/ClientUI/controls/datatable/ExtendedDataTableSelection.js branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/common/box/Box.js branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/common/utils/Utils.js branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/controls/grid/GridBody.js Log: Submitting fixes for RF-7173, RF-10793, RF-1107 and RF-7169. Modified: branches/enterprise/3.3.1.SP3_test_patch/ui/extendedDataTable/src/main/javascript/ClientUI/controls/datatable/ExtendedDataTableSelection.js =================================================================== --- branches/enterprise/3.3.1.SP3_test_patch/ui/extendedDataTable/src/main/javascript/ClientUI/controls/datatable/ExtendedDataTableSelection.js 2013-06-28 16:54:14 UTC (rev 23242) +++ branches/enterprise/3.3.1.SP3_test_patch/ui/extendedDataTable/src/main/javascript/ClientUI/controls/datatable/ExtendedDataTableSelection.js 2013-06-28 17:52:42 UTC (rev 23243) @@ -555,6 +555,7 @@ range = [this.startRow, this.endRow]; this.setSelection(range); } else if (!event.shiftKey && event.ctrlKey && !event.altKey) { + this.selectionFlag = "x"; //RF-10793 if (this.selection.isSelectedId(rowIndex)) { this.removeRowFromSelection(rowIndex); } else { Modified: branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/common/box/Box.js =================================================================== --- branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/common/box/Box.js 2013-06-28 16:54:14 UTC (rev 23242) +++ branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/common/box/Box.js 2013-06-28 17:52:42 UTC (rev 23243) @@ -72,7 +72,7 @@ getHeight: function() { var el = this.getElement(); if(el.tagName.toLowerCase() != "body") { - var h = el.offsetHeight; + var h = el.getHeight(); // offsetHeight; RF-7173 return h>0 ? h : (this.element.boxHeight ? parseInt(this.element.boxHeight) : 0); } Modified: branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/common/utils/Utils.js =================================================================== --- branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/common/utils/Utils.js 2013-06-28 16:54:14 UTC (rev 23242) +++ branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/common/utils/Utils.js 2013-06-28 17:52:42 UTC (rev 23243) @@ -231,6 +231,7 @@ scrollElement.scrollTop--; } scrollElement.scrollTop = scrollTop; + grid.getBody().setScrollPos(scrollTop);//RF-7169 }, 50); } Modified: branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/controls/grid/GridBody.js =================================================================== --- branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/controls/grid/GridBody.js 2013-06-28 16:54:14 UTC (rev 23242) +++ branches/enterprise/3.3.1.SP3_test_patch/ui/scrollableDataTable/src/main/javascript/ClientUI/controls/grid/GridBody.js 2013-06-28 17:52:42 UTC (rev 23243) @@ -39,6 +39,7 @@ }, // event listeners _onContentHScroll: function(event) { + this.syncScrollActive = false; this.grid.adjustScrollPosition(event.memo.pos); }, _onDataReady: function(options) { @@ -50,6 +51,7 @@ window.loadingInvalidateTime = (new Date()).getTime(); }, _onContentVScroll: function(event) { + this.syncScrollActive = false; this.helpObject1.moveToY(this.sizeBox.element.offsetHeight+ this.defaultRowHeight + 5); this.helpObject2.moveToY(this.sizeBox.element.offsetHeight+ this.defaultRowHeight + 5); this.setScrollPos(event.memo.pos); @@ -67,7 +69,8 @@ break; } } - Event.observe(this.container.getElement(), 'keypress', this.synchronizeScroll.bindAsEventListener(this)); + this.syncScrollActive = false; + Event.observe(this.container.getElement(), 'scroll', this.synchronizeScroll.bindAsEventListener(this)); // create scroll box this.scrollBox = new ClientUI.common.box.ScrollableBox(this.gridId + ":scb", this.getElement()); @@ -91,9 +94,15 @@ } this.contentBox = new ClientUI.common.box.Box(normal); - Event.observe(this.contentBox.getElement(), 'keypress', this.synchronizeScroll.bindAsEventListener(this)); + Event.observe(this.contentBox.getElement(), "keyup", this.synchronizeKeyUp.bindAsEventListener(this)); + Event.observe(this.contentBox.getElement(), "keydown", this.synchronizeKeyDown.bindAsEventListener(this)); + Event.observe(this.contentBox.getElement(), 'scroll', this.synchronizeScroll.bindAsEventListener(this)); this.frozenContentBox = new ClientUI.common.box.Box(frozen); + Event.observe(this.frozenContentBox.getElement(), "keyup", this.synchronizeKeyUp.bindAsEventListener(this)); + Event.observe(this.frozenContentBox.getElement(), "keydown", this.synchronizeKeyDown.bindAsEventListener(this)); + Event.observe(this.frozenContentBox.getElement(), "scroll", this.synchronizeScroll.bindAsEventListener(this)); + this.helpObject1 = new ClientUI.common.box.Box(this.gridId + ":nho", this.contentBox.getElement()); this.helpObject2 = new ClientUI.common.box.Box(this.gridId + ":fho", this.frozenContentBox.getElement()); @@ -645,9 +654,52 @@ }, synchronizeScroll: function(event) { - if(Event.KEY_TAB == event.keyCode || Event.KEY_TAB == event.charCode) { - Event.stop(event); + if (this.syncScrollActive) { + if (this.contentBox.element.parentElement.scrollLeft > 0) { + var t = this.contentBox.element.parentElement.scrollLeft; + this.contentBox.element.parentElement.scrollLeft = 0; + this.scrollBox.element.scrollLeft += t; + + } else if (this.contentBox.element.scrollLeft > 0) { + var t = this.contentBox.element.scrollLeft; + this.contentBox.element.scrollLeft = 0; + this.scrollBox.element.scrollLeft += t; + } + if (this.frozenContentBox.element.scrollTop != this.scrollBox.element.scrollTop) { + this.scrollBox.element.scrollTop = this.frozenContentBox.element.scrollTop; + + } else if (this.contentBox.element.scrollTop != this.scrollBox.element.scrollTop) { + this.scrollBox.element.scrollTop = this.contentBox.element.scrollTop; + } } + }, + + synchronizeKeyDown: function (event) { + if (Event.KEY_TAB == event.keyCode || Event.KEY_TAB == event.charCode) { + this.syncScrollActive = true; + } + }, + + synchronizeKeyUp: function (event) { + if (Event.KEY_TAB == event.keyCode || Event.KEY_TAB == event.charCode) { + var k = 0; + var el = document.activeElement; + if (el) { + k += el.offsetLeft; + while (el != this.templNormal.element) { + el = el.parentElement; + k += el.offsetLeft; + if (el == this.templFrozen.element) { + k = 0; + this.scrollBox.element.scrollLeft = 0; + return; + } + } + if (k < 0) { + this.scrollBox.element.scrollLeft += k; + } + } + } } });

11 years, 5 months

1
0
0 / 0

JBoss Rich Faces SVN: r23242 - branches/enterprise.

by richfaces-svn-commits＠lists.jboss.org

Author: ivassile Date: 2013-06-28 12:54:14 -0400 (Fri, 28 Jun 2013) New Revision: 23242 Added: branches/enterprise/3.3.1.SP3_test_patch/ Log: Creating a branch for patching RF-7173, RF-10793, RF-1107 and RF-7169.

11 years, 5 months

1
0
0 / 0

JBoss Rich Faces SVN: r23240 - in branches/embargo/3.3.1.SP3_JBPAPP-10776: framework/impl/src/main/resources/org/ajax4jsf and 4 other directories.

by richfaces-svn-commits＠lists.jboss.org

Author: bleathem Date: 2013-06-19 04:35:27 -0400 (Wed, 19 Jun 2013) New Revision: 23240 Added: branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/LookAheadObjectInputStream.java branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/SerializableResource.java branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/resources/org/ajax4jsf/resource/ branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/resources/org/ajax4jsf/resource/resource-serialization.properties Modified: branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/ResourceBuilderImpl.java branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/UserResource.java branches/embargo/3.3.1.SP3_JBPAPP-10776/samples/richfaces-demo/src/main/java/org/richfaces/demo/media/MediaData.java branches/embargo/3.3.1.SP3_JBPAPP-10776/samples/richfaces-demo/src/main/java/org/richfaces/demo/paint2d/PaintData.java branches/embargo/3.3.1.SP3_JBPAPP-10776/ui/paint2D/src/main/java/org/richfaces/renderkit/html/Paint2DResource.java Log: JBPAPP-10776 patch for RichFaces 3.3.1.SP3, implementing a LookAheadObjectInputStream for object deserialisation Added: branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/LookAheadObjectInputStream.java =================================================================== --- branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/LookAheadObjectInputStream.java (rev 0) +++ branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/LookAheadObjectInputStream.java 2013-06-19 08:35:27 UTC (rev 23240) @@ -0,0 +1,148 @@ +/** + * JBoss, Home of Professional Open Source + * Copyright 2010, Red Hat, Inc. and individual contributors + * by the @authors tag. See the copyright.txt in the distribution for a + * full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + **/ +package org.ajax4jsf.resource; + +import java.io.IOException; +import java.io.InputStream; +import java.io.InvalidClassException; +import java.io.ObjectInputStream; +import java.io.ObjectStreamClass; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Properties; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; + +/** + * When deserializing objects, first check that the class being deserialized is in the allowed whitelist. + * + * @author <a href="http://community.jboss.org/people/bleathem">Brian Leathem</a> + */ +public class LookAheadObjectInputStream extends ObjectInputStream { + private static final Map<String, Class<?>> PRIMITIVE_TYPES = new HashMap<String, Class<?>>(9, 1.0F); + private static Set<Class> whitelistBaseClasses = new HashSet<Class>(); + private static Set<String> whitelistClassNameCache = Collections.newSetFromMap(new ConcurrentHashMap<String, Boolean>()); + + static { + PRIMITIVE_TYPES.put("bool", Boolean.TYPE); + PRIMITIVE_TYPES.put("byte", Byte.TYPE); + PRIMITIVE_TYPES.put("char", Character.TYPE); + PRIMITIVE_TYPES.put("short", Short.TYPE); + PRIMITIVE_TYPES.put("int", Integer.TYPE); + PRIMITIVE_TYPES.put("long", Long.TYPE); + PRIMITIVE_TYPES.put("float", Float.TYPE); + PRIMITIVE_TYPES.put("double", Double.TYPE); + PRIMITIVE_TYPES.put("void", Void.TYPE); + + whitelistClassNameCache.add(new Object[0].getClass().getName()); + whitelistClassNameCache.add(new String[0].getClass().getName()); + whitelistClassNameCache.add(new Boolean[0].getClass().getName()); + whitelistClassNameCache.add(new Byte[0].getClass().getName()); + whitelistClassNameCache.add(new Character[0].getClass().getName()); + whitelistClassNameCache.add(new Short[0].getClass().getName()); + whitelistClassNameCache.add(new Integer[0].getClass().getName()); + whitelistClassNameCache.add(new Long[0].getClass().getName()); + whitelistClassNameCache.add(new Float[0].getClass().getName()); + whitelistClassNameCache.add(new Double[0].getClass().getName()); + whitelistClassNameCache.add(new Void[0].getClass().getName()); + + whitelistBaseClasses.add(String.class); + whitelistBaseClasses.add(Boolean.class); + whitelistBaseClasses.add(Byte.class); + whitelistBaseClasses.add(Character.class); + whitelistBaseClasses.add(Number.class); + + loadWhitelist(); + } + + public LookAheadObjectInputStream(InputStream in) throws IOException { + super(in); + } + + /** + * Only deserialize primitive or whitelisted classes + */ + @Override + protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { + Class<?> primitiveType = PRIMITIVE_TYPES.get(desc.getName()); + if (primitiveType != null) { + return primitiveType; + } + if (!isClassValid(desc.getName())) { + throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName()); + } + return super.resolveClass(desc); + } + + /** + * Determine if the given requestedClassName is allowed by the whitelist + */ + boolean isClassValid(String requestedClassName) { + if (whitelistClassNameCache.contains(requestedClassName)) { + return true; + } + try { + Class<?> requestedClass = Class.forName(requestedClassName); + for (Class baseClass : whitelistBaseClasses ) { + if (baseClass.isAssignableFrom(requestedClass)) { + whitelistClassNameCache.add(requestedClassName); + return true; + } + } + } catch (ClassNotFoundException e) { + return false; + } + return false; + } + + /** + * Load the whitelist from the properties file + */ + static void loadWhitelist() { + Properties whitelistProperties = new Properties(); + InputStream stream = null; + try { + stream = LookAheadObjectInputStream.class.getResourceAsStream("resource-serialization.properties"); + whitelistProperties.load(stream); + } catch (IOException e) { + throw new RuntimeException("Error loading the ResourceBuilder.properties file", e); + } finally { + if (stream != null) { + try { + stream.close(); + } catch (IOException e) { + throw new RuntimeException("Error closing the ResourceBuilder.properties file", e); + } + } + } + for (String baseClassName : whitelistProperties.getProperty("whitelist").split(",")) { + try { + Class<?> baseClass = Class.forName(baseClassName); + whitelistBaseClasses.add(baseClass); + } catch (ClassNotFoundException e) { + throw new RuntimeException("Unable to load whiteList class " + baseClassName, e); + } + } + } +} Modified: branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/ResourceBuilderImpl.java =================================================================== --- branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/ResourceBuilderImpl.java 2013-06-19 08:15:45 UTC (rev 23239) +++ branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/ResourceBuilderImpl.java 2013-06-19 08:35:27 UTC (rev 23240) @@ -374,8 +374,7 @@ data = objectArray; } else { try { - ObjectInputStream in = new ObjectInputStream( - new ByteArrayInputStream(objectArray)); + ObjectInputStream in = new LookAheadObjectInputStream(new ByteArrayInputStream(objectArray)); data = in.readObject(); } catch (StreamCorruptedException e) { log.error(Messages Added: branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/SerializableResource.java =================================================================== --- branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/SerializableResource.java (rev 0) +++ branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/SerializableResource.java 2013-06-19 08:35:27 UTC (rev 23240) @@ -0,0 +1,31 @@ +/** + * JBoss, Home of Professional Open Source + * Copyright 2010, Red Hat, Inc. and individual contributors + * by the @authors tag. See the copyright.txt in the distribution for a + * full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + **/ +package org.ajax4jsf.resource; + +/** + * A marker interface, used to indicate that the class implementing this interfaces is cleared for deserialisation by + * the LookAheadObjectInputStream + * + * @author <a href="http://community.jboss.org/people/bleathem">Brian Leathem</a> + */ +public interface SerializableResource extends java.io.Serializable { +} Modified: branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/UserResource.java =================================================================== --- branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/UserResource.java 2013-06-19 08:15:45 UTC (rev 23239) +++ branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/java/org/ajax4jsf/resource/UserResource.java 2013-06-19 08:35:27 UTC (rev 23240) @@ -23,7 +23,6 @@ import java.io.IOException; import java.io.OutputStream; -import java.io.Serializable; import java.util.Date; import javax.el.ELContext; @@ -156,7 +155,7 @@ return true; } - public static class UriData implements Serializable { + public static class UriData implements SerializableResource { /** * Added: branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/resources/org/ajax4jsf/resource/resource-serialization.properties =================================================================== --- branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/resources/org/ajax4jsf/resource/resource-serialization.properties (rev 0) +++ branches/embargo/3.3.1.SP3_JBPAPP-10776/framework/impl/src/main/resources/org/ajax4jsf/resource/resource-serialization.properties 2013-06-19 08:35:27 UTC (rev 23240) @@ -0,0 +1 @@ +whitelist = org.ajax4jsf.resource.InternetResource,org.ajax4jsf.resource.SerializableResource,javax.el.Expression,javax.faces.el.MethodBinding,javax.faces.component.StateHolderSaver,java.awt.Color \ No newline at end of file Modified: branches/embargo/3.3.1.SP3_JBPAPP-10776/samples/richfaces-demo/src/main/java/org/richfaces/demo/media/MediaData.java =================================================================== --- branches/embargo/3.3.1.SP3_JBPAPP-10776/samples/richfaces-demo/src/main/java/org/richfaces/demo/media/MediaData.java 2013-06-19 08:15:45 UTC (rev 23239) +++ branches/embargo/3.3.1.SP3_JBPAPP-10776/samples/richfaces-demo/src/main/java/org/richfaces/demo/media/MediaData.java 2013-06-19 08:35:27 UTC (rev 23240) @@ -1,10 +1,11 @@ package org.richfaces.demo.media; import java.awt.Color; -import java.io.Serializable; -public class MediaData implements Serializable{ +import org.ajax4jsf.resource.SerializableResource; +public class MediaData implements SerializableResource { + private static final long serialVersionUID = 1L; Integer Width=110; Integer Height=50; Modified: branches/embargo/3.3.1.SP3_JBPAPP-10776/samples/richfaces-demo/src/main/java/org/richfaces/demo/paint2d/PaintData.java =================================================================== --- branches/embargo/3.3.1.SP3_JBPAPP-10776/samples/richfaces-demo/src/main/java/org/richfaces/demo/paint2d/PaintData.java 2013-06-19 08:15:45 UTC (rev 23239) +++ branches/embargo/3.3.1.SP3_JBPAPP-10776/samples/richfaces-demo/src/main/java/org/richfaces/demo/paint2d/PaintData.java 2013-06-19 08:35:27 UTC (rev 23240) @@ -1,8 +1,8 @@ package org.richfaces.demo.paint2d; -import java.io.Serializable; +import org.ajax4jsf.resource.SerializableResource; -public class PaintData implements Serializable{ +public class PaintData implements SerializableResource { /** * */ Modified: branches/embargo/3.3.1.SP3_JBPAPP-10776/ui/paint2D/src/main/java/org/richfaces/renderkit/html/Paint2DResource.java =================================================================== --- branches/embargo/3.3.1.SP3_JBPAPP-10776/ui/paint2D/src/main/java/org/richfaces/renderkit/html/Paint2DResource.java 2013-06-19 08:15:45 UTC (rev 23239) +++ branches/embargo/3.3.1.SP3_JBPAPP-10776/ui/paint2D/src/main/java/org/richfaces/renderkit/html/Paint2DResource.java 2013-06-19 08:35:27 UTC (rev 23240) @@ -27,7 +27,6 @@ import java.awt.Graphics2D; import java.awt.image.BufferedImage; import java.io.IOException; -import java.io.Serializable; import javax.faces.FacesException; import javax.faces.component.UIComponentBase; @@ -41,6 +40,7 @@ import org.ajax4jsf.resource.PngRenderer; import org.ajax4jsf.resource.ResourceContext; import org.ajax4jsf.resource.ResourceRenderer; +import org.ajax4jsf.resource.SerializableResource; import org.ajax4jsf.util.HtmlColor; import org.richfaces.component.UIPaint2D; @@ -126,7 +126,7 @@ } } - private static final class ImageData implements Serializable { + private static final class ImageData implements SerializableResource { private static final long serialVersionUID = 4452040100045367728L;

11 years, 6 months

1
0
0 / 0

JBoss Rich Faces SVN: r23239 - in branches/embargo/3.3.3.Final_BZ#973877: framework/impl/src/main/resources/org/ajax4jsf and 4 other directories.

by richfaces-svn-commits＠lists.jboss.org

Author: bleathem Date: 2013-06-19 04:15:45 -0400 (Wed, 19 Jun 2013) New Revision: 23239 Added: branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/LookAheadObjectInputStream.java branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/SerializableResource.java branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/resources/org/ajax4jsf/resource/ branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/resources/org/ajax4jsf/resource/resource-serialization.properties Modified: branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/ResourceBuilderImpl.java branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/UserResource.java branches/embargo/3.3.3.Final_BZ#973877/samples/richfaces-demo/src/main/java/org/richfaces/demo/media/MediaData.java branches/embargo/3.3.3.Final_BZ#973877/samples/richfaces-demo/src/main/java/org/richfaces/demo/paint2d/PaintData.java branches/embargo/3.3.3.Final_BZ#973877/ui/paint2D/src/main/java/org/richfaces/renderkit/html/Paint2DResource.java Log: BZ#973877 patch for RichFaces 3.3.3.Final, implementing a LookAheadObjectInputStream for object deserialisation Added: branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/LookAheadObjectInputStream.java =================================================================== --- branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/LookAheadObjectInputStream.java (rev 0) +++ branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/LookAheadObjectInputStream.java 2013-06-19 08:15:45 UTC (rev 23239) @@ -0,0 +1,148 @@ +/** + * JBoss, Home of Professional Open Source + * Copyright 2010, Red Hat, Inc. and individual contributors + * by the @authors tag. See the copyright.txt in the distribution for a + * full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + **/ +package org.ajax4jsf.resource; + +import java.io.IOException; +import java.io.InputStream; +import java.io.InvalidClassException; +import java.io.ObjectInputStream; +import java.io.ObjectStreamClass; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Properties; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; + +/** + * When deserializing objects, first check that the class being deserialized is in the allowed whitelist. + * + * @author <a href="http://community.jboss.org/people/bleathem">Brian Leathem</a> + */ +public class LookAheadObjectInputStream extends ObjectInputStream { + private static final Map<String, Class<?>> PRIMITIVE_TYPES = new HashMap<String, Class<?>>(9, 1.0F); + private static Set<Class> whitelistBaseClasses = new HashSet<Class>(); + private static Set<String> whitelistClassNameCache = Collections.newSetFromMap(new ConcurrentHashMap<String, Boolean>()); + + static { + PRIMITIVE_TYPES.put("bool", Boolean.TYPE); + PRIMITIVE_TYPES.put("byte", Byte.TYPE); + PRIMITIVE_TYPES.put("char", Character.TYPE); + PRIMITIVE_TYPES.put("short", Short.TYPE); + PRIMITIVE_TYPES.put("int", Integer.TYPE); + PRIMITIVE_TYPES.put("long", Long.TYPE); + PRIMITIVE_TYPES.put("float", Float.TYPE); + PRIMITIVE_TYPES.put("double", Double.TYPE); + PRIMITIVE_TYPES.put("void", Void.TYPE); + + whitelistClassNameCache.add(new Object[0].getClass().getName()); + whitelistClassNameCache.add(new String[0].getClass().getName()); + whitelistClassNameCache.add(new Boolean[0].getClass().getName()); + whitelistClassNameCache.add(new Byte[0].getClass().getName()); + whitelistClassNameCache.add(new Character[0].getClass().getName()); + whitelistClassNameCache.add(new Short[0].getClass().getName()); + whitelistClassNameCache.add(new Integer[0].getClass().getName()); + whitelistClassNameCache.add(new Long[0].getClass().getName()); + whitelistClassNameCache.add(new Float[0].getClass().getName()); + whitelistClassNameCache.add(new Double[0].getClass().getName()); + whitelistClassNameCache.add(new Void[0].getClass().getName()); + + whitelistBaseClasses.add(String.class); + whitelistBaseClasses.add(Boolean.class); + whitelistBaseClasses.add(Byte.class); + whitelistBaseClasses.add(Character.class); + whitelistBaseClasses.add(Number.class); + + loadWhitelist(); + } + + public LookAheadObjectInputStream(InputStream in) throws IOException { + super(in); + } + + /** + * Only deserialize primitive or whitelisted classes + */ + @Override + protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { + Class<?> primitiveType = PRIMITIVE_TYPES.get(desc.getName()); + if (primitiveType != null) { + return primitiveType; + } + if (!isClassValid(desc.getName())) { + throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName()); + } + return super.resolveClass(desc); + } + + /** + * Determine if the given requestedClassName is allowed by the whitelist + */ + boolean isClassValid(String requestedClassName) { + if (whitelistClassNameCache.contains(requestedClassName)) { + return true; + } + try { + Class<?> requestedClass = Class.forName(requestedClassName); + for (Class baseClass : whitelistBaseClasses ) { + if (baseClass.isAssignableFrom(requestedClass)) { + whitelistClassNameCache.add(requestedClassName); + return true; + } + } + } catch (ClassNotFoundException e) { + return false; + } + return false; + } + + /** + * Load the whitelist from the properties file + */ + static void loadWhitelist() { + Properties whitelistProperties = new Properties(); + InputStream stream = null; + try { + stream = LookAheadObjectInputStream.class.getResourceAsStream("resource-serialization.properties"); + whitelistProperties.load(stream); + } catch (IOException e) { + throw new RuntimeException("Error loading the ResourceBuilder.properties file", e); + } finally { + if (stream != null) { + try { + stream.close(); + } catch (IOException e) { + throw new RuntimeException("Error closing the ResourceBuilder.properties file", e); + } + } + } + for (String baseClassName : whitelistProperties.getProperty("whitelist").split(",")) { + try { + Class<?> baseClass = Class.forName(baseClassName); + whitelistBaseClasses.add(baseClass); + } catch (ClassNotFoundException e) { + throw new RuntimeException("Unable to load whiteList class " + baseClassName, e); + } + } + } +} Modified: branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/ResourceBuilderImpl.java =================================================================== --- branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/ResourceBuilderImpl.java 2013-06-18 12:32:15 UTC (rev 23238) +++ branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/ResourceBuilderImpl.java 2013-06-19 08:15:45 UTC (rev 23239) @@ -376,8 +376,7 @@ data = objectArray; } else { try { - ObjectInputStream in = new ObjectInputStream( - new ByteArrayInputStream(objectArray)); + ObjectInputStream in = new LookAheadObjectInputStream(new ByteArrayInputStream(objectArray)); data = in.readObject(); } catch (StreamCorruptedException e) { log.error(Messages Added: branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/SerializableResource.java =================================================================== --- branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/SerializableResource.java (rev 0) +++ branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/SerializableResource.java 2013-06-19 08:15:45 UTC (rev 23239) @@ -0,0 +1,31 @@ +/** + * JBoss, Home of Professional Open Source + * Copyright 2010, Red Hat, Inc. and individual contributors + * by the @authors tag. See the copyright.txt in the distribution for a + * full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + **/ +package org.ajax4jsf.resource; + +/** + * A marker interface, used to indicate that the class implementing this interfaces is cleared for deserialisation by + * the LookAheadObjectInputStream + * + * @author <a href="http://community.jboss.org/people/bleathem">Brian Leathem</a> + */ +public interface SerializableResource extends java.io.Serializable { +} Modified: branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/UserResource.java =================================================================== --- branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/UserResource.java 2013-06-18 12:32:15 UTC (rev 23238) +++ branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/java/org/ajax4jsf/resource/UserResource.java 2013-06-19 08:15:45 UTC (rev 23239) @@ -23,7 +23,6 @@ import java.io.IOException; import java.io.OutputStream; -import java.io.Serializable; import java.util.Date; import javax.el.ELContext; @@ -163,7 +162,7 @@ return true; } - public static class UriData implements Serializable { + public static class UriData implements SerializableResource { /** * Added: branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/resources/org/ajax4jsf/resource/resource-serialization.properties =================================================================== --- branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/resources/org/ajax4jsf/resource/resource-serialization.properties (rev 0) +++ branches/embargo/3.3.3.Final_BZ#973877/framework/impl/src/main/resources/org/ajax4jsf/resource/resource-serialization.properties 2013-06-19 08:15:45 UTC (rev 23239) @@ -0,0 +1 @@ +whitelist = org.ajax4jsf.resource.InternetResource,org.ajax4jsf.resource.SerializableResource,javax.el.Expression,javax.faces.el.MethodBinding,javax.faces.component.StateHolderSaver,java.awt.Color \ No newline at end of file Modified: branches/embargo/3.3.3.Final_BZ#973877/samples/richfaces-demo/src/main/java/org/richfaces/demo/media/MediaData.java =================================================================== --- branches/embargo/3.3.3.Final_BZ#973877/samples/richfaces-demo/src/main/java/org/richfaces/demo/media/MediaData.java 2013-06-18 12:32:15 UTC (rev 23238) +++ branches/embargo/3.3.3.Final_BZ#973877/samples/richfaces-demo/src/main/java/org/richfaces/demo/media/MediaData.java 2013-06-19 08:15:45 UTC (rev 23239) @@ -1,10 +1,11 @@ package org.richfaces.demo.media; import java.awt.Color; -import java.io.Serializable; -public class MediaData implements Serializable{ +import org.ajax4jsf.resource.SerializableResource; +public class MediaData implements SerializableResource { + private static final long serialVersionUID = 1L; Integer Width=110; Integer Height=50; Modified: branches/embargo/3.3.3.Final_BZ#973877/samples/richfaces-demo/src/main/java/org/richfaces/demo/paint2d/PaintData.java =================================================================== --- branches/embargo/3.3.3.Final_BZ#973877/samples/richfaces-demo/src/main/java/org/richfaces/demo/paint2d/PaintData.java 2013-06-18 12:32:15 UTC (rev 23238) +++ branches/embargo/3.3.3.Final_BZ#973877/samples/richfaces-demo/src/main/java/org/richfaces/demo/paint2d/PaintData.java 2013-06-19 08:15:45 UTC (rev 23239) @@ -1,8 +1,8 @@ package org.richfaces.demo.paint2d; -import java.io.Serializable; +import org.ajax4jsf.resource.SerializableResource; -public class PaintData implements Serializable{ +public class PaintData implements SerializableResource { /** * */ Modified: branches/embargo/3.3.3.Final_BZ#973877/ui/paint2D/src/main/java/org/richfaces/renderkit/html/Paint2DResource.java =================================================================== --- branches/embargo/3.3.3.Final_BZ#973877/ui/paint2D/src/main/java/org/richfaces/renderkit/html/Paint2DResource.java 2013-06-18 12:32:15 UTC (rev 23238) +++ branches/embargo/3.3.3.Final_BZ#973877/ui/paint2D/src/main/java/org/richfaces/renderkit/html/Paint2DResource.java 2013-06-19 08:15:45 UTC (rev 23239) @@ -27,7 +27,6 @@ import java.awt.Graphics2D; import java.awt.image.BufferedImage; import java.io.IOException; -import java.io.Serializable; import javax.faces.FacesException; import javax.faces.component.UIComponentBase; @@ -41,6 +40,7 @@ import org.ajax4jsf.resource.PngRenderer; import org.ajax4jsf.resource.ResourceContext; import org.ajax4jsf.resource.ResourceRenderer; +import org.ajax4jsf.resource.SerializableResource; import org.ajax4jsf.util.HtmlColor; import org.richfaces.component.UIPaint2D; @@ -126,7 +126,7 @@ } } - private static final class ImageData implements Serializable { + private static final class ImageData implements SerializableResource { private static final long serialVersionUID = 4452040100045367728L;

11 years, 6 months

1
0
0 / 0

JBoss Rich Faces SVN: r23237 - branches/embargo.

by richfaces-svn-commits＠lists.jboss.org

Author: bleathem Date: 2013-06-17 13:20:17 -0400 (Mon, 17 Jun 2013) New Revision: 23237 Added: branches/embargo/3.3.3.Final_BZ#973877/ Log: Created the BZ#973877 branch from 3.3.3.Final to address CVE-2013-2165

11 years, 6 months

1
0
0 / 0

JBoss Rich Faces SVN: r23236 - branches/embargo.

by richfaces-svn-commits＠lists.jboss.org

Author: bleathem Date: 2013-06-17 12:27:12 -0400 (Mon, 17 Jun 2013) New Revision: 23236 Added: branches/embargo/3.3.1.SP3_JBPAPP-10776/ Log: Created the JBPAPP-10776 branch from 3.3.1.SP3 to address CVE-2013-2165

11 years, 6 months

1
0
0 / 0

JBoss Rich Faces SVN: r23235 - branches.

by richfaces-svn-commits＠lists.jboss.org

Author: bleathem Date: 2013-06-17 12:26:18 -0400 (Mon, 17 Jun 2013) New Revision: 23235 Added: branches/embargo/ Log: Created the embargo folder

11 years, 6 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

richfaces-svn-commits June 2013