You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Bertrand Delacretaz (JIRA)" <ji...@apache.org> on 2015/11/16 11:38:11 UTC

[jira] [Comment Edited] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

    [ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15006477#comment-15006477 ] 

Bertrand Delacretaz edited comment on IO-487 at 11/16/15 10:37 AM:
-------------------------------------------------------------------

Or maybe

{code}
ObjectInputStream ois = 
  new ValidatingObjectInputStream(is)
  .accept(com.foo.Foo.class, Integer.class)
  .accept("com.bar.Bar*")
  .reject("com.baz.*")
{code}

You'd need to process those simplified regex but considering the conventions on class names it should be sufficient to map dots to {{\.}} and stars to {{.*}}

And also include {{acceptPattern(Pattern p)}} and {{rejectPattern(Pattern p)}} for edge cases. Or maybe better, {{accept(ClassNameMatcher m)}} and {{reject(ClassNameMatcher m)}}



was (Author: bdelacretaz):
Or maybe

{code}
ObjectInputStream ois = 
  new ValidatingObjectInputStream(is)
  .accept(com.foo.Foo.class, Integer.class)
  .accept("com.bar.Bar*")
  .reject("com.baz.*")
{code}

You'd need to process those simplified regex but considering the conventions on class names it should be sufficient to map dots to {{\.}} and stars to {{.*}}

And also include {{acceptPattern(Pattern p)}} and {{rejectPattern(Pattern p)}} for edge cases.


> SafeObjectInputStream contribution - restrict which classes can be deserialized
> -------------------------------------------------------------------------------
>
>                 Key: IO-487
>                 URL: https://issues.apache.org/jira/browse/IO-487
>             Project: Commons IO
>          Issue Type: Improvement
>          Components: Utilities
>    Affects Versions: 2.4
>            Reporter: Bertrand Delacretaz
>            Priority: Minor
>              Labels: patch
>             Fix For: 2.5
>
>         Attachments: IO-487-2.patch, IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288 code to commons-io. I'll attach a patch.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)