Hi Bertrand, Bertrand Delacretaz wrote:
> Hi, > > I've just subscribed to this list after briefly discussing this with > Benedikt Ritter. > > I have written a small module [1] that provides a safer replacement > for ObjectInputStream, to avoid the recently discussed Java > deserialization issues. > > For now that module is in my Sling whiteboard but I'd be interested in > donating it to Commons if you guys think it's a good idea, and > maintaining it here if you agree. > > This SafeObjectInputStream uses a ClassAcceptor [2] interface to only > allow restricted sets of classes to be deserialized. An efficient > whitelist-based ClassAcceptor is provided, as well as a more flexible > and slower RegexpClassAcceptor that has both white and black lists - > and of course one can supply their own ClassAcceptor implementation. > > Are you guys interested? From my point of view it's good enough to > release, it just needs additional OSGi Export-Package headers to be > usable in an OSGi environment like Sling. > > Let me know what you think. Good enhancement. For commons-io? Would be good to have also an analogous ObjectOutputStream, just to avoid a problem at deserialisation time simply caused by accident. Cheers, Jörg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
