You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Jon Harper (JIRA)" <ji...@apache.org> on 2017/07/31 17:15:01 UTC

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

    [ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16107618#comment-16107618 ] 

Jon Harper commented on IO-487:
-------------------------------

Hi,
just adding a comment here as this is the best documentation I have found for this feature. (This is actually what Thomas Neidhart said in the comment just before mine, but I didn't understand it. At least I assume that's what he meant)

bq. java.lang.String will not be resolved

I confirm that you can not blacklist java.lang.String. It will always be whitelisted and it is like this by default. And java.lang.String is the only object that is like this.

This is because this algorithm works by using the readResolve call of the ClassDesc (which comes before the object in the stream). Looking at https://docs.oracle.com/javase/7/docs/platform/serialization/spec/protocol.html , java.lang.String is the only one that doesn't have a ClassDesc.

So primitive types and String are always whitelisted; all other types (including arrays and boxed variants of primitives types) need to be whitelisted (either through a package java.lang.* or individually) to allow deserializing all the transitive fields of all the objects needed to deserialize the top object.
Cheers,
Jon

> ValidatingObjectInputStream contribution - restrict which classes can be deserialized
> -------------------------------------------------------------------------------------
>
>                 Key: IO-487
>                 URL: https://issues.apache.org/jira/browse/IO-487
>             Project: Commons IO
>          Issue Type: Improvement
>          Components: Utilities
>    Affects Versions: 2.4
>            Reporter: Bertrand Delacretaz
>            Priority: Minor
>              Labels: patch
>             Fix For: 2.5
>
>         Attachments: IO-487-2.patch, IO-487-accept-reject-2.patch, IO-487-accept-reject.patch, IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288 code to commons-io. I'll attach a patch.
> _Update: this is committed now, see [1] for an example_.
> [1] https://svn.apache.org/repos/asf/commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)