Hey Bertrand, Welcome to Commons!
Phil > On Nov 13, 2015, at 12:00 PM, Bertrand Delacretaz <bdelacre...@apache.org> > wrote: > > Hi, > > I've just subscribed to this list after briefly discussing this with > Benedikt Ritter. > > I have written a small module [1] that provides a safer replacement > for ObjectInputStream, to avoid the recently discussed Java > deserialization issues. > > For now that module is in my Sling whiteboard but I'd be interested in > donating it to Commons if you guys think it's a good idea, and > maintaining it here if you agree. > > This SafeObjectInputStream uses a ClassAcceptor [2] interface to only > allow restricted sets of classes to be deserialized. An efficient > whitelist-based ClassAcceptor is provided, as well as a more flexible > and slower RegexpClassAcceptor that has both white and black lists - > and of course one can supply their own ClassAcceptor implementation. > > Are you guys interested? From my point of view it's good enough to > release, it just needs additional OSGi Export-Package headers to be > usable in an OSGi environment like Sling. > > Let me know what you think. > > -Bertrand > > [1] > https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/ > > [2] > https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java > - it's basically just a "void accept(String className) throws > ClassRejectedException" method. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org