[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

Mon, 31 Jul 2017 10:15:15 -0700 

    [ 
https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16107618#comment-16107618
 ] 

Jon Harper commented on IO-487:
-------------------------------

Hi,
just adding a comment here as this is the best documentation I have found for 
this feature. (This is actually what Thomas Neidhart said in the comment just 
before mine, but I didn't understand it. At least I assume that's what he meant)

bq. java.lang.String will not be resolved

I confirm that you can not blacklist java.lang.String. It will always be 
whitelisted and it is like this by default. And java.lang.String is the only 
object that is like this.

This is because this algorithm works by using the readResolve call of the 
ClassDesc (which comes before the object in the stream). Looking at 
https://docs.oracle.com/javase/7/docs/platform/serialization/spec/protocol.html 
, java.lang.String is the only one that doesn't have a ClassDesc.

So primitive types and String are always whitelisted; all other types 
(including arrays and boxed variants of primitives types) need to be 
whitelisted (either through a package java.lang.* or individually) to allow 
deserializing all the transitive fields of all the objects needed to 
deserialize the top object.
Cheers,
Jon

> ValidatingObjectInputStream contribution - restrict which classes can be 
> deserialized
> -------------------------------------------------------------------------------------
>
>                 Key: IO-487
>                 URL: https://issues.apache.org/jira/browse/IO-487
>             Project: Commons IO
>          Issue Type: Improvement
>          Components: Utilities
>    Affects Versions: 2.4
>            Reporter: Bertrand Delacretaz
>            Priority: Minor
>              Labels: patch
>             Fix For: 2.5
>
>         Attachments: IO-487-2.patch, IO-487-accept-reject-2.patch, 
> IO-487-accept-reject.patch, IO-487-matchers.patch, 
> IO-487-name-regex-acceptor.patch, IO-487.patch, IO-487.patch, IO-487.patch, 
> IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288 
> code to commons-io. I'll attach a patch.
> _Update: this is committed now, see [1] for an example_.
> [1] 
> https://svn.apache.org/repos/asf/commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to