JinwooHwang commented on code in PR #7966:
URL: https://github.com/apache/geode/pull/7966#discussion_r2604842408
##########
extensions/geode-modules/src/main/java/org/apache/geode/modules/util/ClassLoaderObjectInputStream.java:
##########
@@ -16,16 +16,41 @@
import java.io.IOException;
import java.io.InputStream;
+import java.io.ObjectInputFilter;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
/**
* This class is used when session attributes need to be reconstructed with a
new classloader.
+ * It now supports ObjectInputFilter for secure deserialization.
*/
public class ClassLoaderObjectInputStream extends ObjectInputStream {
private final ClassLoader loader;
+ /**
+ * Constructs a ClassLoaderObjectInputStream with an ObjectInputFilter for
secure deserialization.
+ *
+ * @param in the input stream to read from
+ * @param loader the ClassLoader to use for class resolution
+ * @param filter the ObjectInputFilter to validate deserialized classes
(required for security)
+ * @throws IOException if an I/O error occurs
+ */
+ public ClassLoaderObjectInputStream(InputStream in, ClassLoader loader,
ObjectInputFilter filter)
+ throws IOException {
+ super(in);
+ this.loader = loader;
+ setObjectInputFilter(filter);
Review Comment:
Great catch! Added a null check.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
