[
https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014417#comment-15014417
]
Bertrand Delacretaz commented on IO-487:
----------------------------------------
bq. If you have to declare any accepted class, you might be surprised how many
of it you're actually using ([~joehni]) .
Indeed. I have added a {{MoreComplexObjectTest}} [1] which demonstrates this,
using 3 variants: trust {{java.lang}} packages, trust all {{java}} packages,
and a blacklist-only mode.
The "trust java" variant is not too bad:
{code}
new ValidatingObjectInputStream(inputStream)
.accept(MoreComplexObject.class)
.accept("java.*","[Ljava.*")
{code}
But of course it depends on one's concrete cases.
[1]
https://svn.apache.org/repos/asf/commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java
> ValidatingObjectInputStream contribution - restrict which classes can be
> deserialized
> -------------------------------------------------------------------------------------
>
> Key: IO-487
> URL: https://issues.apache.org/jira/browse/IO-487
> Project: Commons IO
> Issue Type: Improvement
> Components: Utilities
> Affects Versions: 2.4
> Reporter: Bertrand Delacretaz
> Priority: Minor
> Labels: patch
> Fix For: 2.5
>
> Attachments: IO-487-2.patch, IO-487-accept-reject-2.patch,
> IO-487-accept-reject.patch, IO-487-matchers.patch,
> IO-487-name-regex-acceptor.patch, IO-487.patch, IO-487.patch, IO-487.patch,
> IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288
> code to commons-io. I'll attach a patch.
> _Update: this is committed now, see [1] for an example_.
> [1]
> https://svn.apache.org/repos/asf/commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
