[
https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bertrand Delacretaz updated IO-487:
-----------------------------------
Attachment: IO-487-accept-reject-2.patch
Here's an updated {{IO-487-accept-reject-2.patch}} that adds a protected
{{invalidClassNameFound}} method to {{ValidatingObjectInputStream}}, as
suggested by [~ebourg]. That method could be overridden to log invalid classes
instead of failing, and it also includes the comment about not logging the
invalid class name.
Do you guys think this can be committed? I guess what's important is to agree
on the API-like elements which are only the {{ClassNameMatcher}} interface and
the public/protected methods of {{ValidatingObjectInputStream}}.
> SafeObjectInputStream contribution - restrict which classes can be
> deserialized
> -------------------------------------------------------------------------------
>
> Key: IO-487
> URL: https://issues.apache.org/jira/browse/IO-487
> Project: Commons IO
> Issue Type: Improvement
> Components: Utilities
> Affects Versions: 2.4
> Reporter: Bertrand Delacretaz
> Priority: Minor
> Labels: patch
> Fix For: 2.5
>
> Attachments: IO-487-2.patch, IO-487-accept-reject-2.patch,
> IO-487-accept-reject.patch, IO-487-matchers.patch,
> IO-487-name-regex-acceptor.patch, IO-487.patch, IO-487.patch, IO-487.patch,
> IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288
> code to commons-io. I'll attach a patch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
