[
https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018083#comment-15018083
]
Bertrand Delacretaz commented on IO-487:
----------------------------------------
To match against Class objects you'd need to instantiate those Class objects
based on the {{ObjectStreamClass}} that's passed to the
{{ObjectInputStream.resolveClass}} method. You'd then have to be very careful
not to initialize any unwanted classes, as that might execute arbitrary code.
It's probably easier to keep things safe when working via class names only, for
data that comes from the outside.
> ValidatingObjectInputStream contribution - restrict which classes can be
> deserialized
> -------------------------------------------------------------------------------------
>
> Key: IO-487
> URL: https://issues.apache.org/jira/browse/IO-487
> Project: Commons IO
> Issue Type: Improvement
> Components: Utilities
> Affects Versions: 2.4
> Reporter: Bertrand Delacretaz
> Priority: Minor
> Labels: patch
> Fix For: 2.5
>
> Attachments: IO-487-2.patch, IO-487-accept-reject-2.patch,
> IO-487-accept-reject.patch, IO-487-matchers.patch,
> IO-487-name-regex-acceptor.patch, IO-487.patch, IO-487.patch, IO-487.patch,
> IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288
> code to commons-io. I'll attach a patch.
> _Update: this is committed now, see [1] for an example_.
> [1]
> https://svn.apache.org/repos/asf/commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
