[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16107618#comment-16107618 ] Jon Harper commented on IO-487: --- Hi, just adding a comment here as this is the best documentation I have found

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15018083#comment-15018083 ] Bertrand Delacretaz commented on IO-487: To match against Class objects you'd need to instantiate

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15018084#comment-15018084 ] Bertrand Delacretaz commented on IO-487: Regarding the various usability suggestions I think those are

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15018108#comment-15018108 ] Christopher Schultz commented on IO-487: Instantiating the java.lang.Class object for a class is

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15018147#comment-15018147 ] Adrian Crum commented on IO-487: Or create static ClassNameMatcher members for common class categories. The

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15018154#comment-15018154 ] Thomas Neidhart commented on IO-487: btw. some observations from a few tests that I made:

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15015408#comment-15015408 ] Thomas Neidhart commented on IO-487: The ClassNameMatcher as it is now implemented is quite easy to use,

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15015407#comment-15015407 ] Emmanuel Bourg commented on IO-487: --- Another idea we could consider, if trusting some packages or classes by

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15015417#comment-15015417 ] Emmanuel Bourg commented on IO-487: --- Another usability suggestion: if the type {{T}} is trusted, then

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014025#comment-15014025 ] Kristian Rosenvold commented on IO-487: --- Yes please ! > ValidatingObjectInputStream contribution -

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014017#comment-15014017 ] Bertrand Delacretaz commented on IO-487: Ran the Cobertura coverage with "mvn site",

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014417#comment-15014417 ] Bertrand Delacretaz commented on IO-487: bq. If you have to declare any accepted class, you might be

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014154#comment-15014154 ] Bertrand Delacretaz commented on IO-487: Done, http://svn.apache.org/r1715240 >

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15014580#comment-15014580 ] Emmanuel Bourg commented on IO-487: --- What about trusting {{java.lang}} by default? >

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15013889#comment-15013889 ] Adrian Crum commented on IO-487: Without the class name, the exception is not useful to the developer. What

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15013920#comment-15013920 ] Bertrand Delacretaz commented on IO-487: I have committed IO-487-accept-reject-2.patch with minor

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15013951#comment-15013951 ] Bertrand Delacretaz commented on IO-487: bq. If I try to exploit code by desrializing MyExploit.class,

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15013966#comment-15013966 ] Bertrand Delacretaz commented on IO-487: Added the class name in the InvalidClassException, as

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011354#comment-15011354 ] Gary Gregory commented on IO-487: - I like {{ValidatingObjectInputStream}} for the name. >

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011403#comment-15011403 ] Christopher Schultz commented on IO-487: I would suggest Filter[ing]ObjectInputStream, except it

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011319#comment-15011319 ] Emmanuel Bourg commented on IO-487: --- Its looks ready to be committed to me, and if nobody objects you can

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011332#comment-15011332 ] Bertrand Delacretaz commented on IO-487: bq. if nobody objects you can even do it yourself since the

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011611#comment-15011611 ] Bertrand Delacretaz commented on IO-487: RestrictedObjectInputStream maybe, but

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011647#comment-15011647 ] Bertrand Delacretaz commented on IO-487: at least you spelled it right, that's no so common ;-) >

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011623#comment-15011623 ] Gary Gregory commented on IO-487: - This is also {{DelacretazObjectInputStream}} ... ;-) >

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15013031#comment-15013031 ] Emmanuel Bourg commented on IO-487: --- The name isn't included on purpose to avoid disclosing too much

[jira] [Commented] (IO-487) ValidatingObjectInputStream contribution - restrict which classes can be deserialized

[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15012207#comment-15012207 ] Niall Pemberton commented on IO-487: Go for it - looks good to me, the only minor comment I have is, can