alhudz opened a new pull request, #1693:
URL: https://github.com/apache/commons-lang/pull/1693
1. `CharRange` reverses reversed endpoints in its constructor, so a
constructed instance always holds `start <= end`; with no `readObject`, default
deserialisation restores the raw fields.
2. a crafted stream (reachable through a serialised `CharSet`, which holds
`Set<CharRange>`) can carry `start > end`, after which `contains(char)` matches
nothing for that range and the iterator walks it incorrectly.
Repro: reflectively set a `CharRange.isIn('a', 'e')` to
`start='z'`/`end='a'`, serialise, then deserialise. Before: it round-trips into
an inverted range. After: `InvalidObjectException`, in line with the recent
`Range` (#1686) and `Fraction` (#1688) readObject hardening.
Re-asserted `start <= end` after `defaultReadObject()`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
