+2 :-) mit freundlichen Grüßen Uwe Barthel -- bart...@x-reizend.de
> On 13 Nov 2015, at 18:22, Jörg Schaible <joerg.schai...@gmx.de> wrote: > > Hi Bertrand, > > Bertrand Delacretaz wrote: > >> Hi, >> >> I've just subscribed to this list after briefly discussing this with >> Benedikt Ritter. >> >> I have written a small module [1] that provides a safer replacement >> for ObjectInputStream, to avoid the recently discussed Java >> deserialization issues. >> >> For now that module is in my Sling whiteboard but I'd be interested in >> donating it to Commons if you guys think it's a good idea, and >> maintaining it here if you agree. >> >> This SafeObjectInputStream uses a ClassAcceptor [2] interface to only >> allow restricted sets of classes to be deserialized. An efficient >> whitelist-based ClassAcceptor is provided, as well as a more flexible >> and slower RegexpClassAcceptor that has both white and black lists - >> and of course one can supply their own ClassAcceptor implementation. >> >> Are you guys interested? From my point of view it's good enough to >> release, it just needs additional OSGi Export-Package headers to be >> usable in an OSGi environment like Sling. >> >> Let me know what you think. > > Good enhancement. For commons-io? > > Would be good to have also an analogous ObjectOutputStream, just to avoid a > problem at deserialisation time simply caused by accident. > > Cheers, > Jörg > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
