commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jon Harper (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized
Date Mon, 31 Jul 2017 17:15:01 GMT

    [ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16107618#comment-16107618
] 

Jon Harper commented on IO-487:
-------------------------------

Hi,
just adding a comment here as this is the best documentation I have found for this feature.
(This is actually what Thomas Neidhart said in the comment just before mine, but I didn't
understand it. At least I assume that's what he meant)

bq. java.lang.String will not be resolved

I confirm that you can not blacklist java.lang.String. It will always be whitelisted and it
is like this by default. And java.lang.String is the only object that is like this.

This is because this algorithm works by using the readResolve call of the ClassDesc (which
comes before the object in the stream). Looking at https://docs.oracle.com/javase/7/docs/platform/serialization/spec/protocol.html
, java.lang.String is the only one that doesn't have a ClassDesc.

So primitive types and String are always whitelisted; all other types (including arrays and
boxed variants of primitives types) need to be whitelisted (either through a package java.lang.*
or individually) to allow deserializing all the transitive fields of all the objects needed
to deserialize the top object.
Cheers,
Jon

> ValidatingObjectInputStream contribution - restrict which classes can be deserialized
> -------------------------------------------------------------------------------------
>
>                 Key: IO-487
>                 URL: https://issues.apache.org/jira/browse/IO-487
>             Project: Commons IO
>          Issue Type: Improvement
>          Components: Utilities
>    Affects Versions: 2.4
>            Reporter: Bertrand Delacretaz
>            Priority: Minor
>              Labels: patch
>             Fix For: 2.5
>
>         Attachments: IO-487-2.patch, IO-487-accept-reject-2.patch, IO-487-accept-reject.patch,
IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch, IO-487.patch, IO-487.patch,
IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288 code to commons-io.
I'll attach a patch.
> _Update: this is committed now, see [1] for an example_.
> [1] https://svn.apache.org/repos/asf/commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message