On Fri, Nov 13, 2015 at 11:53 AM, Phil Steitz <phil.ste...@gmail.com> wrote:
> Hey Bertrand, > > Welcome to Commons! > +1 Gary > > Phil > > > On Nov 13, 2015, at 12:00 PM, Bertrand Delacretaz < > bdelacre...@apache.org> wrote: > > > > Hi, > > > > I've just subscribed to this list after briefly discussing this with > > Benedikt Ritter. > > > > I have written a small module [1] that provides a safer replacement > > for ObjectInputStream, to avoid the recently discussed Java > > deserialization issues. > > > > For now that module is in my Sling whiteboard but I'd be interested in > > donating it to Commons if you guys think it's a good idea, and > > maintaining it here if you agree. > > > > This SafeObjectInputStream uses a ClassAcceptor [2] interface to only > > allow restricted sets of classes to be deserialized. An efficient > > whitelist-based ClassAcceptor is provided, as well as a more flexible > > and slower RegexpClassAcceptor that has both white and black lists - > > and of course one can supply their own ClassAcceptor implementation. > > > > Are you guys interested? From my point of view it's good enough to > > release, it just needs additional OSGi Export-Package headers to be > > usable in an OSGi environment like Sling. > > > > Let me know what you think. > > > > -Bertrand > > > > [1] > https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/ > > > > [2] > https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java > > - it's basically just a "void accept(String className) throws > > ClassRejectedException" method. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition <http://www.manning.com/bauer3/> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> Spring Batch in Action <http://www.manning.com/templier/> Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory
