[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

Mon, 16 Nov 2015 05:51:01 -0800 

    [ 
https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15006676#comment-15006676
 ] 

Bertrand Delacretaz commented on IO-487:
----------------------------------------

bq. ...any class is rejected unless it's explicitly accepted. Calling reject() 
has no real effect on the end result. 

I think the  IO-487-accept-reject.patch logic makes sense considering the use 
of wildcard matchers:

By default nothing is accepted, to force users to think about what they accept. 
If you don't call {{accept}}, nothing works and I think it's good. This allows 
you to just tell your developers to use {{ValidatingObjectInputStream}} and 
they'll discover the rest by themselves.

The most common case (and recommended IMO) is probably to just accept a single 
or a few classes, like {{accept(MyClass.class)}} or 
{{accept(org.mycompany.safestuff.*)}}. This is a pure whitelisting mode.

If you want a whitelist with a few exceptions you can do something like 

{noformat}accept("org.*").reject("org.badguys.*"){noformat}

Such a wide accept pattern is not recommended but works if you know what you're 
doing. And the order of the accept/reject calls is not important, reject always 
wins which is good for security.

If you want to use a standard blacklist on top of whatever you accept, just to 
be on the safe side, you can require your users to always call 
{{reject(YOUR_STANDARD_BLACKLIST)}}

Does this make sense?





> SafeObjectInputStream contribution - restrict which classes can be 
> deserialized
> -------------------------------------------------------------------------------
>
>                 Key: IO-487
>                 URL: https://issues.apache.org/jira/browse/IO-487
>             Project: Commons IO
>          Issue Type: Improvement
>          Components: Utilities
>    Affects Versions: 2.4
>            Reporter: Bertrand Delacretaz
>            Priority: Minor
>              Labels: patch
>             Fix For: 2.5
>
>         Attachments: IO-487-2.patch, IO-487-accept-reject.patch, 
> IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch, 
> IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288 
> code to commons-io. I'll attach a patch.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to