[
https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15006594#comment-15006594
]
Bertrand Delacretaz commented on IO-487:
----------------------------------------
bq. I'd suggest adding the name of the class rejected to the
InvalidClassException
I intentionally didn't do that as security folks sometimes complain that these
sorts of things disclose too much information to an attacker. If adding the
name is fine with the usual Commons best practices I'm fine with that.
I'll look at your other comments later today, hopefully.
> SafeObjectInputStream contribution - restrict which classes can be
> deserialized
> -------------------------------------------------------------------------------
>
> Key: IO-487
> URL: https://issues.apache.org/jira/browse/IO-487
> Project: Commons IO
> Issue Type: Improvement
> Components: Utilities
> Affects Versions: 2.4
> Reporter: Bertrand Delacretaz
> Priority: Minor
> Labels: patch
> Fix For: 2.5
>
> Attachments: IO-487-2.patch, IO-487-accept-reject.patch,
> IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch,
> IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288
> code to commons-io. I'll attach a patch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
