jbonofre commented on code in PR #3333:
URL: https://github.com/apache/avro/pull/3333#discussion_r2008694584
##########
lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java:
##########
@@ -37,8 +37,19 @@ public class SpecificDatumReader<T> extends
GenericDatumReader<T> {
public static final String[] SERIALIZABLE_PACKAGES;
static {
- SERIALIZABLE_PACKAGES =
System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES",
-
"java.lang,java.math,java.io,java.net,org.apache.avro.reflect").split(",");
+ String defaultPackages =
"java.lang,java.math,java.io,java.net,org.apache.avro.reflect";
+
+ String userDefinedPackages =
System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES", "");
Review Comment:
I got your point, but if the user doesn't want the default packages (for
security reasons), he can't really remove these packages from the trusted ones.
Maybe more a warn message or documentation ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
