commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bertrand Delacretaz (JIRA)" <>
Subject [jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
Date Mon, 16 Nov 2015 10:00:17 GMT


Bertrand Delacretaz updated IO-487:
    Attachment: IO-487-matchers.patch

Based on all those great ideas, here's a variant (IO-487-matchers.patch) that I find simpler
and more foolproof to use, the single-class setup code is now

ObjectInputStream ois = 
  new ValidatingObjectInputStream(is)
  .withWhitelist(new FullClassNameMatcher(MyClass.class.getName()))

And allowing a full package except for a specific class would be

ObjectInputStream ois = 
  new ValidatingObjectInputStream(is)
  .withWhitelist(new RegexClassNameMatcher("com\\.example\\.foo.*"),

Someone said they prefer include/exclude instead of black/whitelists. I don't mind, it's just
that the latter are common terms in security discussions.

> SafeObjectInputStream contribution - restrict which classes can be deserialized
> -------------------------------------------------------------------------------
>                 Key: IO-487
>                 URL:
>             Project: Commons IO
>          Issue Type: Improvement
>          Components: Utilities
>    Affects Versions: 2.4
>            Reporter: Bertrand Delacretaz
>            Priority: Minor
>              Labels: patch
>             Fix For: 2.5
>         Attachments: IO-487-2.patch, IO-487-matchers.patch, IO-487-name-regex-acceptor.patch,
IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
> As discussed on the commons dev list I'd like to contribute my SLING-5288 code to commons-io.
I'll attach a patch.

This message was sent by Atlassian JIRA

View raw message