x-stream/xstream

unable to deserialize to object

Closed this issue · 2 comments

quantrpeter commented

Hi
unable to deserialize to object

<Setting>
  <x>110</x>
  <y>0</y>
  <width>220</width>
  <height>0</height>
</Setting>

			XStream xstream = new XStream();
			xstream.alias("Setting", Setting.class);
			String xml = FileUtils.readFileToString(new File("setting.xml"), "utf-8");
			Setting setting = (Setting) xstream.fromXML(xml);

package hk.quantr.graph;

import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.annotations.XStreamAsAttribute;
import java.io.File;
import java.io.FileOutputStream;
import org.apache.commons.io.FileUtils;

import org.apache.commons.io.IOUtils;

public class Setting {

	private static Setting setting = null;
	public int x;
	public int y;
	public int width;
	public int height;

//	public Setting() {
//		width = 800;
//		height = 600;
//	}
	public static Setting getInstance() {
		if (setting == null) {
			setting = load();
		}
		return setting;
	}

	public static void main(String args[]) {
		Setting setting = Setting.getInstance();
		System.out.println(setting.x);
		System.out.println(setting.width);

	}

	public void save() {
		XStream xstream = new XStream();
		xstream.alias("Setting", Setting.class);
		String xml = xstream.toXML(this);
		try {
			IOUtils.write(xml, new FileOutputStream(new File("setting.xml")), "utf-8");
		} catch (Exception e) {
			e.printStackTrace();
		}
	}

	public static Setting load() {
		try {
			XStream xstream = new XStream();
			xstream.alias("Setting", Setting.class);
			String xml = FileUtils.readFileToString(new File("setting.xml"), "utf-8");
			Setting setting = (Setting) xstream.fromXML(xml);
			return setting;
		} catch (Exception ex) {
			new File("gkd.xml").delete();
			setting = new Setting();
			setting.save();
			return setting;
		}
	}

}

thanks

quantrpeter commented

1.4.15 works, 1.4.19 not

joehni commented

This is correct. XStream no longer deserializes arbitrary unknown class types. It has no clue, whether this a class is a security risk or not. It is finally your job now to setup XStream's security framework, where you decide which class types are safe. Actually this would have been your job also with 1.4.15, but you have chosen to ignore XStream's warning.