commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <garydgreg...@gmail.com>
Subject Re: SafeObjectInputStream in Commons?
Date Fri, 13 Nov 2015 19:57:32 GMT
On Fri, Nov 13, 2015 at 11:53 AM, Phil Steitz <phil.steitz@gmail.com> wrote:

> Hey Bertrand,
>
> Welcome to Commons!
>

+1

Gary


>
> Phil
>
> > On Nov 13, 2015, at 12:00 PM, Bertrand Delacretaz <
> bdelacretaz@apache.org> wrote:
> >
> > Hi,
> >
> > I've just subscribed to this list after briefly discussing this with
> > Benedikt Ritter.
> >
> > I have written a small module [1] that provides a safer replacement
> > for ObjectInputStream, to avoid the recently discussed Java
> > deserialization issues.
> >
> > For now that module is in my Sling whiteboard but I'd be interested in
> > donating it to Commons if you guys think it's a good idea, and
> > maintaining it here if you agree.
> >
> > This SafeObjectInputStream uses a ClassAcceptor [2] interface to only
> > allow restricted sets of classes to be deserialized. An efficient
> > whitelist-based ClassAcceptor is provided, as well as a more flexible
> > and slower RegexpClassAcceptor that has both white and black lists -
> > and of course one can supply their own ClassAcceptor implementation.
> >
> > Are you guys interested? From my point of view it's good enough to
> > release, it just needs additional OSGi Export-Package headers to be
> > usable in an OSGi environment like Sling.
> >
> > Let me know what you think.
> >
> > -Bertrand
> >
> > [1]
> https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/
> >
> > [2]
> https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java
> > - it's basically just a "void accept(String className) throws
> > ClassRejectedException" method.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>


-- 
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message