From: Markus Koschany <apo@debian.org>
Date: Wed, 22 Sep 2021 12:12:08 +0200
Subject: enable security whitelist by default

---
 .../src/java/com/thoughtworks/xstream/XStream.java | 175 ++++++++++-----------
 1 file changed, 85 insertions(+), 90 deletions(-)

diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
index a088877..5c49410 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -695,107 +695,102 @@ public class XStream {
         if (securityMapper == null) {
             return;
         }
-        
-        addPermission(AnyTypePermission.ANY);
-        securityInitialized = false;
+        addPermission(NoTypePermission.NONE);
+        addPermission(NullPermission.NULL);
+        addPermission(PrimitiveTypePermission.PRIMITIVES);
+        addPermission(ArrayTypePermission.ARRAYS);
+        addPermission(InterfaceTypePermission.INTERFACES);
+        allowTypeHierarchy(Calendar.class);
+        allowTypeHierarchy(Collection.class);
+        allowTypeHierarchy(Map.class);
+        allowTypeHierarchy(Map.Entry.class);
+        allowTypeHierarchy(Member.class);
+        allowTypeHierarchy(Number.class);
+        allowTypeHierarchy(Throwable.class);
+        allowTypeHierarchy(TimeZone.class);
+
+        Class type = JVM.loadClassForName("java.lang.Enum");
+        if (type != null) {
+            allowTypeHierarchy(type);
+        }
+        type = JVM.loadClassForName("java.nio.file.Path");
+        if (type != null) {
+            allowTypeHierarchy(type);
+        }
+
+        final Set types = new HashSet();
+        types.add(BitSet.class);
+        types.add(Charset.class);
+        types.add(Class.class);
+        types.add(Currency.class);
+        types.add(Date.class);
+        types.add(DecimalFormatSymbols.class);
+        types.add(File.class);
+        types.add(Locale.class);
+        types.add(Object.class);
+        types.add(Pattern.class);
+        types.add(StackTraceElement.class);
+        types.add(String.class);
+        types.add(StringBuffer.class);
+        types.add(JVM.loadClassForName("java.lang.StringBuilder"));
+        types.add(URL.class);
+        types.add(URI.class);
+        types.add(JVM.loadClassForName("java.util.UUID"));
+        if (JVM.isSQLAvailable()) {
+            types.add(JVM.loadClassForName("java.sql.Timestamp"));
+            types.add(JVM.loadClassForName("java.sql.Time"));
+            types.add(JVM.loadClassForName("java.sql.Date"));
+        }
+        if (JVM.isVersion(8)) {
+            allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
+            types.add(JVM.loadClassForName("java.time.Duration"));
+            types.add(JVM.loadClassForName("java.time.Instant"));
+            types.add(JVM.loadClassForName("java.time.LocalDate"));
+            types.add(JVM.loadClassForName("java.time.LocalDateTime"));
+            types.add(JVM.loadClassForName("java.time.LocalTime"));
+            types.add(JVM.loadClassForName("java.time.MonthDay"));
+            types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
+            types.add(JVM.loadClassForName("java.time.OffsetTime"));
+            types.add(JVM.loadClassForName("java.time.Period"));
+            types.add(JVM.loadClassForName("java.time.Ser"));
+            types.add(JVM.loadClassForName("java.time.Year"));
+            types.add(JVM.loadClassForName("java.time.YearMonth"));
+            types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
+            allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
+            types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
+            types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
+            types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
+            types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
+            types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
+            types.add(JVM.loadClassForName("java.time.chrono.Ser"));
+            allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
+            types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
+            types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
+        }
+        types.remove(null);
+
+        final Iterator iter = types.iterator();
+        final Class[] classes = new Class[types.size()];
+        for (int i = 0; i < classes.length; ++i) {
+            classes[i] = (Class)iter.next();
+        }
+        allowTypes(classes);
+
     }
 
     /**
      * Setup the security framework of a XStream instance.
      * <p>
-     * This method is a pure helper method for XStream 1.4.x. It initializes an XStream instance with a white list of
-     * well-known and simply types of the Java runtime as it is done in XStream 1.5.x by default. This method will do
-     * therefore nothing in XStream 1.5.
+     * This method was a pure helper method for XStream 1.4.10 to 1.4.17.  It initialized an XStream instance with a
+     * whitelist of well-known and simply types of the Java runtime as it is done in XStream 1.4.11 by default.  This
+     * method will do therefore nothing in XStream 1.4.11 or higher.
      * </p>
      * 
      * @param xstream
      * @since 1.4.10
+     * @deprecated As of 1.4.11
      */
     public static void setupDefaultSecurity(final XStream xstream) {
-        if (!xstream.securityInitialized) {
-            xstream.addPermission(NoTypePermission.NONE);
-            xstream.addPermission(NullPermission.NULL);
-            xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
-            xstream.addPermission(ArrayTypePermission.ARRAYS);
-            xstream.addPermission(InterfaceTypePermission.INTERFACES);
-            xstream.allowTypeHierarchy(Calendar.class);
-            xstream.allowTypeHierarchy(Collection.class);
-            xstream.allowTypeHierarchy(Map.class);
-            xstream.allowTypeHierarchy(Map.Entry.class);
-            xstream.allowTypeHierarchy(Member.class);
-            xstream.allowTypeHierarchy(Number.class);
-            xstream.allowTypeHierarchy(Throwable.class);
-            xstream.allowTypeHierarchy(TimeZone.class);
-
-            Class type = JVM.loadClassForName("java.lang.Enum");
-            if (type != null) {
-                xstream.allowTypeHierarchy(type);
-            }
-            type = JVM.loadClassForName("java.nio.file.Path");
-            if (type != null) {
-                xstream.allowTypeHierarchy(type);
-            }
-
-            final Set types = new HashSet();
-            types.add(BitSet.class);
-            types.add(Charset.class);
-            types.add(Class.class);
-            types.add(Currency.class);
-            types.add(Date.class);
-            types.add(DecimalFormatSymbols.class);
-            types.add(File.class);
-            types.add(Locale.class);
-            types.add(Object.class);
-            types.add(Pattern.class);
-            types.add(StackTraceElement.class);
-            types.add(String.class);
-            types.add(StringBuffer.class);
-            types.add(JVM.loadClassForName("java.lang.StringBuilder"));
-            types.add(URL.class);
-            types.add(URI.class);
-            types.add(JVM.loadClassForName("java.util.UUID"));
-            if (JVM.isSQLAvailable()) {
-                types.add(JVM.loadClassForName("java.sql.Timestamp"));
-                types.add(JVM.loadClassForName("java.sql.Time"));
-                types.add(JVM.loadClassForName("java.sql.Date"));
-            }
-            if (JVM.isVersion(8)) {
-                xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
-                types.add(JVM.loadClassForName("java.time.Duration"));
-                types.add(JVM.loadClassForName("java.time.Instant"));
-                types.add(JVM.loadClassForName("java.time.LocalDate"));
-                types.add(JVM.loadClassForName("java.time.LocalDateTime"));
-                types.add(JVM.loadClassForName("java.time.LocalTime"));
-                types.add(JVM.loadClassForName("java.time.MonthDay"));
-                types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
-                types.add(JVM.loadClassForName("java.time.OffsetTime"));
-                types.add(JVM.loadClassForName("java.time.Period"));
-                types.add(JVM.loadClassForName("java.time.Ser"));
-                types.add(JVM.loadClassForName("java.time.Year"));
-                types.add(JVM.loadClassForName("java.time.YearMonth"));
-                types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
-                xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
-                types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
-                types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
-                types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
-                types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
-                types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
-                types.add(JVM.loadClassForName("java.time.chrono.Ser"));
-                xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
-                types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
-                types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
-            }
-            types.remove(null);
-
-            final Iterator iter = types.iterator();
-            final Class[] classes = new Class[types.size()];
-            for (int i = 0; i < classes.length; ++i) {
-                classes[i] = (Class)iter.next();
-            }
-            xstream.allowTypes(classes);
-        } else {
-            throw new IllegalArgumentException("Security framework of XStream instance already initialized");
-        }
     }
 
     protected void setupAliases() {