SafeObjectInputStream in Commons?

[Bertrand Delacretaz <bd...@apache.org>]

Hi,

I've just subscribed to this list after briefly discussing this with
Benedikt Ritter.

I have written a small module [1] that provides a safer replacement
for ObjectInputStream, to avoid the recently discussed Java
deserialization issues.

For now that module is in my Sling whiteboard but I'd be interested in
donating it to Commons if you guys think it's a good idea, and
maintaining it here if you agree.

This SafeObjectInputStream uses a ClassAcceptor [2] interface to only
allow restricted sets of classes to be deserialized. An efficient
whitelist-based ClassAcceptor is provided, as well as a more flexible
and slower RegexpClassAcceptor that has both white and black lists -
and of course one can supply their own ClassAcceptor implementation.

Are you guys interested? From my point of view it's good enough to
release, it just needs additional OSGi Export-Package headers to be
usable in an OSGi environment like Sling.

Let me know what you think.

-Bertrand

[1] https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/

[2] https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java
- it's basically just a "void accept(String className) throws
ClassRejectedException" method.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: SafeObjectInputStream in Commons?

[Bertrand Delacretaz <bd...@apache.org>]

On Fri, Nov 13, 2015 at 8:53 PM, Phil Steitz <ph...@gmail.com> wrote:
> ...Welcome to Commons!

Thanks! After so many years doing Java stuff at the ASF I finally
found something meaningful to contribute here.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: SafeObjectInputStream in Commons?

[Gary Gregory <ga...@gmail.com>]

On Fri, Nov 13, 2015 at 11:53 AM, Phil Steitz <ph...@gmail.com> wrote:

> Hey Bertrand,
>
> Welcome to Commons!
>

+1

Gary


>
> Phil
>
> > On Nov 13, 2015, at 12:00 PM, Bertrand Delacretaz <
> bdelacretaz@apache.org> wrote:
> >
> > Hi,
> >
> > I've just subscribed to this list after briefly discussing this with
> > Benedikt Ritter.
> >
> > I have written a small module [1] that provides a safer replacement
> > for ObjectInputStream, to avoid the recently discussed Java
> > deserialization issues.
> >
> > For now that module is in my Sling whiteboard but I'd be interested in
> > donating it to Commons if you guys think it's a good idea, and
> > maintaining it here if you agree.
> >
> > This SafeObjectInputStream uses a ClassAcceptor [2] interface to only
> > allow restricted sets of classes to be deserialized. An efficient
> > whitelist-based ClassAcceptor is provided, as well as a more flexible
> > and slower RegexpClassAcceptor that has both white and black lists -
> > and of course one can supply their own ClassAcceptor implementation.
> >
> > Are you guys interested? From my point of view it's good enough to
> > release, it just needs additional OSGi Export-Package headers to be
> > usable in an OSGi environment like Sling.
> >
> > Let me know what you think.
> >
> > -Bertrand
> >
> > [1]
> https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/
> >
> > [2]
> https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java
> > - it's basically just a "void accept(String className) throws
> > ClassRejectedException" method.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>


-- 
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory

Re: SafeObjectInputStream in Commons?

[Phil Steitz <ph...@gmail.com>]

Hey Bertrand,

Welcome to Commons!

Phil

> On Nov 13, 2015, at 12:00 PM, Bertrand Delacretaz <bd...@apache.org> wrote:
> 
> Hi,
> 
> I've just subscribed to this list after briefly discussing this with
> Benedikt Ritter.
> 
> I have written a small module [1] that provides a safer replacement
> for ObjectInputStream, to avoid the recently discussed Java
> deserialization issues.
> 
> For now that module is in my Sling whiteboard but I'd be interested in
> donating it to Commons if you guys think it's a good idea, and
> maintaining it here if you agree.
> 
> This SafeObjectInputStream uses a ClassAcceptor [2] interface to only
> allow restricted sets of classes to be deserialized. An efficient
> whitelist-based ClassAcceptor is provided, as well as a more flexible
> and slower RegexpClassAcceptor that has both white and black lists -
> and of course one can supply their own ClassAcceptor implementation.
> 
> Are you guys interested? From my point of view it's good enough to
> release, it just needs additional OSGi Export-Package headers to be
> usable in an OSGi environment like Sling.
> 
> Let me know what you think.
> 
> -Bertrand
> 
> [1] https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/
> 
> [2] https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java
> - it's basically just a "void accept(String className) throws
> ClassRejectedException" method.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: SafeObjectInputStream in Commons?

[Gary Gregory <ga...@gmail.com>]

Sounds intetesting!

Gary
On Nov 13, 2015 9:48 AM, "Bertrand Delacretaz" <bd...@apache.org>
wrote:

> On Fri, Nov 13, 2015 at 6:27 PM, Bertrand Delacretaz
> <bd...@apache.org> wrote:
> >... How quick? Weekend starts in half an hour here...
>
> Actually that was more than enough, here you go:
> https://issues.apache.org/jira/browse/IO-487
>
> -Bertrand
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>

Re: SafeObjectInputStream in Commons?

[Bertrand Delacretaz <bd...@apache.org>]

On Fri, Nov 13, 2015 at 6:27 PM, Bertrand Delacretaz
<bd...@apache.org> wrote:
>... How quick? Weekend starts in half an hour here...

Actually that was more than enough, here you go:
https://issues.apache.org/jira/browse/IO-487

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: SafeObjectInputStream in Commons?

[Bertrand Delacretaz <bd...@apache.org>]

On Fri, Nov 13, 2015 at 6:26 PM, Kristian Rosenvold
<kr...@apache.org> wrote:
> ...if you're quick I can review & incorporate it. Remember
> testcases :)...

How quick? Weekend starts in half an hour here and I'll be busy with
other things ;-)

And if I miss that "quick" train, when's the next one?

I have good test cases already.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: SafeObjectInputStream in Commons?

[Kristian Rosenvold <kr...@apache.org>]

I'd think commons-io too. I have once again startes moves to release the
next version so if you're quick I can review & incorporate it. Remember
testcases :)

Kristian
13. nov. 2015 18.00 skrev "Bertrand Delacretaz" <bd...@apache.org>:

> Hi,
>
> I've just subscribed to this list after briefly discussing this with
> Benedikt Ritter.
>
> I have written a small module [1] that provides a safer replacement
> for ObjectInputStream, to avoid the recently discussed Java
> deserialization issues.
>
> For now that module is in my Sling whiteboard but I'd be interested in
> donating it to Commons if you guys think it's a good idea, and
> maintaining it here if you agree.
>
> This SafeObjectInputStream uses a ClassAcceptor [2] interface to only
> allow restricted sets of classes to be deserialized. An efficient
> whitelist-based ClassAcceptor is provided, as well as a more flexible
> and slower RegexpClassAcceptor that has both white and black lists -
> and of course one can supply their own ClassAcceptor implementation.
>
> Are you guys interested? From my point of view it's good enough to
> release, it just needs additional OSGi Export-Package headers to be
> usable in an OSGi environment like Sling.
>
> Let me know what you think.
>
> -Bertrand
>
> [1]
> https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/
>
> [2]
> https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java
> - it's basically just a "void accept(String className) throws
> ClassRejectedException" method.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>

Re: SafeObjectInputStream in Commons?

[Uwe Barthel <ba...@x-reizend.de>]

+2 :-)

mit freundlichen Grüßen
Uwe Barthel
-- 
barthel@x-reizend.de


> On 13 Nov 2015, at 18:22, Jörg Schaible <jo...@gmx.de> wrote:
> 
> Hi Bertrand,
> 
> Bertrand Delacretaz wrote:
> 
>> Hi,
>> 
>> I've just subscribed to this list after briefly discussing this with
>> Benedikt Ritter.
>> 
>> I have written a small module [1] that provides a safer replacement
>> for ObjectInputStream, to avoid the recently discussed Java
>> deserialization issues.
>> 
>> For now that module is in my Sling whiteboard but I'd be interested in
>> donating it to Commons if you guys think it's a good idea, and
>> maintaining it here if you agree.
>> 
>> This SafeObjectInputStream uses a ClassAcceptor [2] interface to only
>> allow restricted sets of classes to be deserialized. An efficient
>> whitelist-based ClassAcceptor is provided, as well as a more flexible
>> and slower RegexpClassAcceptor that has both white and black lists -
>> and of course one can supply their own ClassAcceptor implementation.
>> 
>> Are you guys interested? From my point of view it's good enough to
>> release, it just needs additional OSGi Export-Package headers to be
>> usable in an OSGi environment like Sling.
>> 
>> Let me know what you think.
> 
> Good enhancement. For commons-io?
> 
> Would be good to have also an analogous ObjectOutputStream, just to avoid a 
> problem at deserialisation time simply caused by accident.
> 
> Cheers,
> Jörg
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: SafeObjectInputStream in Commons?

[Bertrand Delacretaz <bd...@apache.org>]

Hi Jörg,

On Fri, Nov 13, 2015 at 6:22 PM, Jörg Schaible <jo...@gmx.de> wrote:
> ...Good enhancement. For commons-io?...

Probably, I'm not familiar with the wide picture of Commons modules.

> ...Would be good to have also an analogous ObjectOutputStream, just to avoid a
> problem at deserialisation time simply caused by accident...

So an ObjectOutputStream that uses the same ClassAcceptor filter? Makes sense.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: SafeObjectInputStream in Commons?

[Jörg Schaible <jo...@gmx.de>]

Hi Bertrand,

Bertrand Delacretaz wrote:

> Hi,
> 
> I've just subscribed to this list after briefly discussing this with
> Benedikt Ritter.
> 
> I have written a small module [1] that provides a safer replacement
> for ObjectInputStream, to avoid the recently discussed Java
> deserialization issues.
> 
> For now that module is in my Sling whiteboard but I'd be interested in
> donating it to Commons if you guys think it's a good idea, and
> maintaining it here if you agree.
> 
> This SafeObjectInputStream uses a ClassAcceptor [2] interface to only
> allow restricted sets of classes to be deserialized. An efficient
> whitelist-based ClassAcceptor is provided, as well as a more flexible
> and slower RegexpClassAcceptor that has both white and black lists -
> and of course one can supply their own ClassAcceptor implementation.
> 
> Are you guys interested? From my point of view it's good enough to
> release, it just needs additional OSGi Export-Package headers to be
> usable in an OSGi environment like Sling.
> 
> Let me know what you think.

Good enhancement. For commons-io?

Would be good to have also an analogous ObjectOutputStream, just to avoid a 
problem at deserialisation time simply caused by accident.

Cheers,
Jörg


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org