[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15018083#comment-15018083 ] Bertrand Delacretaz commented on IO-487: To match against Class objects you'd need to instantiate

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15018084#comment-15018084 ] Bertrand Delacretaz commented on IO-487: Regarding the various usability suggestions I think those are

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014017#comment-15014017 ] Bertrand Delacretaz commented on IO-487: Ran the Cobertura coverage with "mvn site",

[jira] [Updated] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bertrand Delacretaz updated IO-487: --- Description: As discussed on the commons dev list I'd like to contribute my SLING-5288 code to

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014417#comment-15014417 ] Bertrand Delacretaz commented on IO-487: bq. If you have to declare any accepted class, you might be

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014154#comment-15014154 ] Bertrand Delacretaz commented on IO-487: Done, http://svn.apache.org/r1715240 >

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15013920#comment-15013920 ] Bertrand Delacretaz commented on IO-487: I have committed IO-487-accept-reject-2.patch with minor

[jira] [Comment Edited] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15013920#comment-15013920 ] Bertrand Delacretaz edited comment on IO-487 at 11/19/15 5:11 PM: -- I have

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15013951#comment-15013951 ] Bertrand Delacretaz commented on IO-487: bq. If I try to exploit code by desrializing MyExploit.class,

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15013966#comment-15013966 ] Bertrand Delacretaz commented on IO-487: Added the class name in the InvalidClassException, as

[jira] [Updated] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bertrand Delacretaz updated IO-487: --- Summary: ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bertrand Delacretaz updated IO-487: --- Attachment: IO-487-accept-reject-2.patch Here's an updated {{IO-487-accept-reject-2.patch}} that

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011332#comment-15011332 ] Bertrand Delacretaz commented on IO-487: bq. if nobody objects you can even do it yourself since the

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011611#comment-15011611 ] Bertrand Delacretaz commented on IO-487: RestrictedObjectInputStream maybe, but

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011647#comment-15011647 ] Bertrand Delacretaz commented on IO-487: at least you spelled it right, that's no so common ;-) >

[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15006893#comment-15006893 ] Bertrand Delacretaz commented on IO-487: The {{IO-487-accept-reject.patch}} uses a different and much

[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15006769#comment-15006769 ] Bertrand Delacretaz commented on IO-487: You mean in methods like {{accept(MyClass.class)}} ? One

[jira] [Comment Edited] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15006769#comment-15006769 ] Bertrand Delacretaz edited comment on IO-487 at 11/16/15 3:22 PM: -- You mean

[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15006594#comment-15006594 ] Bertrand Delacretaz commented on IO-487: bq. I'd suggest adding the name of the class rejected to the

[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15006676#comment-15006676 ] Bertrand Delacretaz commented on IO-487: bq. ...any class is rejected unless it's explicitly accepted.

[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15007292#comment-15007292 ] Bertrand Delacretaz commented on IO-487: For that you can write a ClassNameMatcher that accepts

[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bertrand Delacretaz updated IO-487: --- Attachment: IO-487-accept-reject.patch Here's IO-487-accept-reject.patch with the suggested

[jira] [Comment Edited] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15006559#comment-15006559 ] Bertrand Delacretaz edited comment on IO-487 at 11/16/15 11:51 AM: --- Here's

[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bertrand Delacretaz updated IO-487: --- Attachment: IO-487-matchers.patch Based on all those great ideas, here's a variant

[jira] [Comment Edited] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15006477#comment-15006477 ] Bertrand Delacretaz edited comment on IO-487 at 11/16/15 10:37 AM: --- Or maybe

[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15006477#comment-15006477 ] Bertrand Delacretaz commented on IO-487: Or maybe {code} ObjectInputStream ois = new

[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15006512#comment-15006512 ] Bertrand Delacretaz commented on IO-487: bq. ...we can reuse FilenameUtils.wildcardMatch(String,

[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15004397#comment-15004397 ] Bertrand Delacretaz commented on IO-487: Forgot to mention good contributions from

[jira] [Created] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

Bertrand Delacretaz created IO-487: -- Summary: SafeObjectInputStream contribution - restrict which classes can be deserialized Key: IO-487 URL: https://issues.apache.org/jira/browse/IO-487 Project:

[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bertrand Delacretaz updated IO-487: --- Attachment: IO-487.patch > SafeObjectInputStream contribution - restrict which classes can be >

[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bertrand Delacretaz updated IO-487: --- Attachment: IO-487.patch Here's an updated patch that uses UnsupportedOperationException, good

[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15004563#comment-15004563 ] Bertrand Delacretaz commented on IO-487: You are welcome! > SafeObjectInputStream contribution -

[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bertrand Delacretaz updated IO-487: --- Attachment: IO-487.patch Another update...just a comment change. > SafeObjectInputStream

[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15004870#comment-15004870 ] Bertrand Delacretaz commented on IO-487: RestrictedObjectInputStream? > SafeObjectInputStream

[jira] [Commented] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15004869#comment-15004869 ] Bertrand Delacretaz commented on IO-487: RestrictedObjectInputStream? > SafeObjectInputStream