[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15006676#comment-15006676 ]
Bertrand Delacretaz commented on IO-487: ---------------------------------------- bq. ...any class is rejected unless it's explicitly accepted. Calling reject() has no real effect on the end result. I think the IO-487-accept-reject.patch logic makes sense considering the use of wildcard matchers: By default nothing is accepted, to force users to think about what they accept. If you don't call {{accept}}, nothing works and I think it's good. This allows you to just tell your developers to use {{ValidatingObjectInputStream}} and they'll discover the rest by themselves. The most common case (and recommended IMO) is probably to just accept a single or a few classes, like {{accept(MyClass.class)}} or {{accept(org.mycompany.safestuff.*)}}. This is a pure whitelisting mode. If you want a whitelist with a few exceptions you can do something like {noformat}accept("org.*").reject("org.badguys.*"){noformat} Such a wide accept pattern is not recommended but works if you know what you're doing. And the order of the accept/reject calls is not important, reject always wins which is good for security. If you want to use a standard blacklist on top of whatever you accept, just to be on the safe side, you can require your users to always call {{reject(YOUR_STANDARD_BLACKLIST)}} Does this make sense? > SafeObjectInputStream contribution - restrict which classes can be > deserialized > ------------------------------------------------------------------------------- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities > Affects Versions: 2.4 > Reporter: Bertrand Delacretaz > Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487-2.patch, IO-487-accept-reject.patch, > IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch, > IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)