commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Uwe Barthel <bart...@x-reizend.de>
Subject Re: SafeObjectInputStream in Commons?
Date Fri, 13 Nov 2015 20:18:28 GMT
+2 :-)

mit freundlichen Grüßen
Uwe Barthel
-- 
barthel@x-reizend.de


> On 13 Nov 2015, at 18:22, Jörg Schaible <joerg.schaible@gmx.de> wrote:
> 
> Hi Bertrand,
> 
> Bertrand Delacretaz wrote:
> 
>> Hi,
>> 
>> I've just subscribed to this list after briefly discussing this with
>> Benedikt Ritter.
>> 
>> I have written a small module [1] that provides a safer replacement
>> for ObjectInputStream, to avoid the recently discussed Java
>> deserialization issues.
>> 
>> For now that module is in my Sling whiteboard but I'd be interested in
>> donating it to Commons if you guys think it's a good idea, and
>> maintaining it here if you agree.
>> 
>> This SafeObjectInputStream uses a ClassAcceptor [2] interface to only
>> allow restricted sets of classes to be deserialized. An efficient
>> whitelist-based ClassAcceptor is provided, as well as a more flexible
>> and slower RegexpClassAcceptor that has both white and black lists -
>> and of course one can supply their own ClassAcceptor implementation.
>> 
>> Are you guys interested? From my point of view it's good enough to
>> release, it just needs additional OSGi Export-Package headers to be
>> usable in an OSGi environment like Sling.
>> 
>> Let me know what you think.
> 
> Good enhancement. For commons-io?
> 
> Would be good to have also an analogous ObjectOutputStream, just to avoid a 
> problem at deserialisation time simply caused by accident.
> 
> Cheers,
> Jörg
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message