xstream

转： https://thief.one/2017/09/06/1/ s2-052漏洞介绍 s2-052漏洞是当用户使用带有XStream组件的Struts-REST插件对XML格式的数据包进行反序列化操作时，未对数据内容进行有效验证，可直接在数据包中插入恶意代码。 漏洞编号：CVE-2017-9805（S2-052） 漏洞影响：Struts2.5 – Struts2.5.12版本。 1.漏洞环境搭建 已经配置好Tomcat和JDK环境 从struts2的官网下载最后受影响的版本 struts-2.5.12 解压后，将apps目录下的struts2-rest-showcase.war文件放到webapps目录下，然后运行tomcat，访问页面得到 构造post包 可以直接使用上面的poc发包，也可以自己抓取数据包重放，自己抓取的方式是点击页面上的编辑，然后点击submit提交，抓取post包，再修改post的body字段为此漏洞的poc。 这点是通过Burpsuite和谷歌代理插件SwitchyOmega来获取request包并修改 在使用SwitchyOmega的时候始终不能代理127.0.0.1，最后修改为了192.168.5.9能代理的 原始request请求： POST /struts2-rest-showcase/orders/4 HTTP/1.1 Host: 192

The problem is that every time I execute the main method, the old content of a.xml is lost and is substituted with a new one. How to append content to the a.xml file without losing the previous information? import java.io.FileNotFoundException; import java.io.PrintWriter; import com.thoughtworks.xstream.XStream; import com.thoughtworks.xstream.io.xml.DomDriver; public class Test { public static void main(String[] args) throws FileNotFoundException { XStream xs = new XStream(new DomDriver()); Foo f = new Foo(1, "booo", new Bar(42)); PrintWriter pw = new PrintWriter("a.xml"); xs.toXML(f,pw); } }

I want to have short names for classes, now i can do it with aliases XStream x = new XStream(); x.alias("dic", Dic.class); but i have to define alias manually for every class, is there any way to configure xstream to do it automatically? Internally, XStream uses its Mapper interface to handle the mapping of classes and fields to their corresponding names in the XML. There are a large number of implementations of this interface. The XStream class itself can take a Mapper in its constructor. You might want to check out the source code of that class to see which Mapper implementation it uses by

xStream 框架 xStream可以轻易的将Java对象和xml文档相互转换，而且可以修改某个特定的属性和节点名称，而且也支持json的转换； 前面有介绍过json-lib这个框架，在线博文： http://www.cnblogs.com/hoojo/archive/2011/04/21/2023805.html 以及Jackson这个框架，在线博文： http://www.cnblogs.com/hoojo/archive/2011/04/22/2024628.html 它们都完美支持JSON，但是对xml的支持还不是很好。一定程度上限制了对Java对象的描述，不能让xml完全体现到对Java对象的描述。这里将会介绍xStream对JSON、XML的完美支持。xStream不仅对XML的转换非常友好，而且提供annotation注解，可以在JavaBean中完成对xml节点、属性的描述。以及对JSON也支持，只需要提供相关的JSONDriver就可以完成转换。 一、 准备工作 1、 下载jar包、及官方资源 xStream的jar下载地址： https://nexus.codehaus.org/content/repositories/releases/com/thoughtworks/xstream/xstream-distribution/1.3.1/xstream

This code: println(new XStream.toXML(List(1,2,3))) produces this XML: <scala.coloncolon serialization="custom"> <unserializable-parents/> <scala.coloncolon> <int>1</int> <int>2</int> <int>3</int> <scala.ListSerializeEnd/> </scala.coloncolon> </scala.coloncolon> Instead I'd like this: <list> <int>1</int> <int>2</int> <int>3</int> </list> Which would be similar to how the generic java collections get serialized. Whats the best way to do this? I've got most of the way there by implementing my own converter, but I'm stuck on the unmarshal method, its not clear how to instantiate an empty list...

I have an object that needs to be serialised as XML, which contains the following field: List<String> tags = new List<String>(); XStream serialises it just fine (after some aliases) like this: <tags> <string>tagOne</string> <string>tagTwo</string> <string>tagThree</string> <string>tagFour</string> </tags> That's OK as far as it goes, but I'd like to be able to rename the <string> elements to, say, <tag> . I can't see an obvious way to do that from the alias documentation on the XStream site. Am I missing something obvious? I'd suggest changing the List<String> to a List<Tag> , where Tag is a

I have many xml files and I would like to use XStream to manage them. Is it possible to generate java classes corresponding to my xml files using XStream? XStream is a software to serialize and deserialize a Java Object to and from XML. XStream uses Reflection for this. The class of the objects involved has to exist beforehand. JAXB is a binding framework, which too does serialization and deserialization. JAXB has annotations to do this work. Bundled with the framework come tools to generate classes (complete with the already mentioned annotations) from an xsd (<-- declaration that describes