Fixed apache#1138 check serialization in case it's changed from network.

lsfjGitHub · Jan 23, 2018 · 552965e · 552965e
1 parent ed1ae3d
commit 552965e
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/...g/dubbo-remoting-api/src/main/java/com/alibaba/dubbo/remoting/transport/CodecSupport.java b/...g/dubbo-remoting-api/src/main/java/com/alibaba/dubbo/remoting/transport/CodecSupport.java
@@ -24,6 +24,7 @@
 import com.alibaba.dubbo.common.logger.LoggerFactory;
 import com.alibaba.dubbo.common.serialize.Serialization;
 
+import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
@@ -32,6 +33,7 @@ public class CodecSupport {
 
     private static final Logger logger = LoggerFactory.getLogger(CodecSupport.class);
     private static Map<Byte, Serialization> ID_SERIALIZATION_MAP = new HashMap<Byte, Serialization>();
+    private static Map<Byte, String> ID_SERIALIZATIONNAME_MAP = new HashMap<Byte, String>();
 
     static {
         Set<String> supportedExtensions = ExtensionLoader.getExtensionLoader(Serialization.class).getSupportedExtensions();
@@ -46,6 +48,7 @@ public class CodecSupport {
                 continue;
             }
             ID_SERIALIZATION_MAP.put(idByte, serialization);
+            ID_SERIALIZATIONNAME_MAP.put(idByte, name);
         }
     }
 
@@ -61,12 +64,15 @@ public static Serialization getSerialization(URL url) {
                 url.getParameter(Constants.SERIALIZATION_KEY, Constants.DEFAULT_REMOTING_SERIALIZATION));
     }
 
-    public static Serialization getSerialization(URL url, Byte id) {
-        Serialization result = getSerializationById(id);
-        if (result == null) {
-            result = getSerialization(url);
+    public static Serialization getSerialization(URL url, Byte id) throws IOException {
+        Serialization serialization = getSerializationById(id);
+        String serializationName = url.getParameter(Constants.SERIALIZATION_KEY, Constants.DEFAULT_REMOTING_SERIALIZATION);
+        // Check if "serialization id" passed from network matches the id on this side(only take effect for JDK serialization), for security purpose.
+        if (serialization == null
+                || ((id == 3 || id == 7 || id == 4) && !(serializationName.equals(ID_SERIALIZATIONNAME_MAP.get(id))))) {
+            throw new IOException("Unexpected serialization id:" + id + " received from network, please check if the peer send the right id.");
         }
-        return result;
+        return serialization;
     }
 
 }