abhilakshyadobhal commented on code in PR #3333:
URL: https://github.com/apache/avro/pull/3333#discussion_r2008678133
##########
lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java:
##########
@@ -37,8 +37,19 @@ public class SpecificDatumReader<T> extends
GenericDatumReader<T> {
public static final String[] SERIALIZABLE_PACKAGES;
static {
- SERIALIZABLE_PACKAGES =
System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES",
-
"java.lang,java.math,java.io,java.net,org.apache.avro.reflect").split(",");
+ String defaultPackages =
"java.lang,java.math,java.io,java.net,org.apache.avro.reflect";
+
+ String userDefinedPackages =
System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES", "");
Review Comment:
It's noted that we can do that.
Even though Avro already knows some default packages that are considered
trustable, if a user defines custom packages and forgets to include these
default ones, it may lead to errors when deserializing objects that rely on
them.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
