Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convenient configuration of type permissions for XStream 1.4.18 #27343

Closed
jhoeller opened this issue Aug 31, 2021 · 0 comments
Closed

Convenient configuration of type permissions for XStream 1.4.18 #27343

jhoeller opened this issue Aug 31, 2021 · 0 comments
Assignees
@jhoeller
Labels
in: data Issues in data modules (jdbc, orm, oxm, tx) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Milestone
5.3.10

Comments

@jhoeller
Copy link
Contributor

jhoeller commented Aug 31, 2021
edited
Loading

As of XStream 1.4.18, the default type permissions are restricted to well-known core JDK types. Since any custom types will require explicit type permissions now, it seems sensible to provide an explicit typePermissions property on Spring's XStreamMarshaller, as a convenient alternative to overriding the customizeXStream method.

On a related note, we should also translate XStream's ForbiddenClassException (which is very commonly raised by XStream 1.4.18 now) to our specific UnmarshallingFailureException (instead of our fallback UncategorizedMappingException).

Since XStream 1.4.18 is a vulnerability-driven update, we may also expect it to be applied to Spring Framework 5.2.x setups, suggesting a backport of this convenience revision as well (at the expense of raising the minimum XStream version from our historic 1.4.5+ to 1.4.7+ which should be acceptable even for the 5.2.x branch since 1.4.5 dates back to Sep 2013 and 1.4.7 to Feb 2014, just a few months later).
@jhoeller jhoeller added in: data Issues in data modules (jdbc, orm, oxm, tx) type: enhancement A general enhancement labels Aug 31, 2021
@jhoeller jhoeller added this to the 5.3.10 milestone Aug 31, 2021
@jhoeller jhoeller self-assigned this Aug 31, 2021
@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.2.x labels Aug 31, 2021
Closed
jhoeller added a commit that referenced this issue Sep 2, 2021
@jhoeller
Convenient configuration of type permissions for XStream 1.4.18
9c931f6 
Closes gh-27343

(cherry picked from commit 837301f)
@sync-by-unito sync-by-unito bot mentioned this issue Sep 15, 2021
Closed
lxbzmy pushed a commit to lxbzmy/spring-framework that referenced this issue Mar 26, 2022
@jhoeller @lxbzmy
Convenient configuration of type permissions for XStream 1.4.18
90c7bc6 
Closes spring-projectsgh-27343
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhoeller jhoeller

Labels
in: data Issues in data modules (jdbc, orm, oxm, tx) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Projects
None yet
Milestone
5.3.10
Development

No branches or pull requests
2 participants
@jhoeller @spring-projects-issues