Hi, I've just subscribed to this list after briefly discussing this with Benedikt Ritter.
I have written a small module [1] that provides a safer replacement for ObjectInputStream, to avoid the recently discussed Java deserialization issues. For now that module is in my Sling whiteboard but I'd be interested in donating it to Commons if you guys think it's a good idea, and maintaining it here if you agree. This SafeObjectInputStream uses a ClassAcceptor [2] interface to only allow restricted sets of classes to be deserialized. An efficient whitelist-based ClassAcceptor is provided, as well as a more flexible and slower RegexpClassAcceptor that has both white and black lists - and of course one can supply their own ClassAcceptor implementation. Are you guys interested? From my point of view it's good enough to release, it just needs additional OSGi Export-Package headers to be usable in an OSGi environment like Sling. Let me know what you think. -Bertrand [1] https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/ [2] https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java - it's basically just a "void accept(String className) throws ClassRejectedException" method. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
