Why not import java.io.ObjectOutputStream instead of always using the fully qualified class name?
Gary ---------- Forwarded message --------- From: <s...@apache.org> Date: Tue, Dec 14, 2021 at 7:19 PM Subject: [commons-net] branch master updated: Prevent serialization To: comm...@commons.apache.org <comm...@commons.apache.org> This is an automated email from the ASF dual-hosted git repository. sebb pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-net.git The following commit(s) were added to refs/heads/master by this push: new 991b775 Prevent serialization 991b775 is described below commit 991b775f2052e150c4c16d1c1cd2073021d40c2e Author: Sebb <s...@apache.org> AuthorDate: Wed Dec 15 00:18:48 2021 +0000 Prevent serialization It is not useful and is unlikely to work properly. --- src/changes/changes.xml | 4 ++++ .../apache/commons/net/ProtocolCommandSupport.java | 18 +++++++++++++++++- .../java/org/apache/commons/net/ftp/FTPFile.java | 20 +++++++++++++++++++- .../java/org/apache/commons/net/ntp/TimeStamp.java | 16 ++++++++++++++++ .../org/apache/commons/net/util/ListenerList.java | 15 +++++++++++++++ 5 files changed, 71 insertions(+), 2 deletions(-) diff --git a/src/changes/changes.xml b/src/changes/changes.xml index 95fbce2..d388412 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -92,6 +92,10 @@ The <action> type attribute can be add,update,fix,remove. [FTP] Add FTPFile.getTimestampInstant(). </action> <!-- UPDATE --> + <action type="update" dev="sebb"> + Prevent serialization of the 4 classes that implement Serializable. + It is not useful and is unlikely to work properly. + </action> <action type="update" dev="ggregory" due-to="Dependabot"> Bump junit from 4.13.1 to 4.13.2 #74. </action> diff --git a/src/main/java/org/apache/commons/net/ProtocolCommandSupport.java b/src/main/java/org/apache/commons/net/ProtocolCommandSupport.java index c2e409d..9057d55 100644 --- a/src/main/java/org/apache/commons/net/ProtocolCommandSupport.java +++ b/src/main/java/org/apache/commons/net/ProtocolCommandSupport.java @@ -17,6 +17,8 @@ package org.apache.commons.net; +import java.io.IOException; +import java.io.ObjectStreamException; import java.io.Serializable; import java.util.EventListener; @@ -131,5 +133,19 @@ public class ProtocolCommandSupport implements Serializable listeners.removeListener(listener); } -} + /* + Serialization is unnecessary for this class. + Reject attempts to do so until such time as the Serializable attribute can be dropped. + */ + private void writeObject(java.io.ObjectOutputStream out) throws IOException + { + throw new UnsupportedOperationException("Serialization is not supported"); + } + + private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException + { + throw new UnsupportedOperationException("Serialization is not supported"); + } + +} diff --git a/src/main/java/org/apache/commons/net/ftp/FTPFile.java b/src/main/java/org/apache/commons/net/ftp/FTPFile.java index b7ea2fe..fa45ccb 100644 --- a/src/main/java/org/apache/commons/net/ftp/FTPFile.java +++ b/src/main/java/org/apache/commons/net/ftp/FTPFile.java @@ -17,6 +17,7 @@ package org.apache.commons.net.ftp; +import java.io.IOException; import java.io.Serializable; import java.time.Instant; import java.util.Calendar; @@ -82,7 +83,7 @@ public class FTPFile implements Serializable { private Calendar calendar; /** If this is null, then list entry parsing failed. */ - private final boolean[] permissions[]; // e.g. _permissions[USER_ACCESS][READ_PERMISSION] + private final boolean[][] permissions; // e.g. _permissions[USER_ACCESS][READ_PERMISSION] /** Creates an empty FTPFile. */ public FTPFile() { @@ -475,4 +476,21 @@ public class FTPFile implements Serializable { public String toString() { return getRawListing(); } + + /* + Serialization is unnecessary for this class. + Reject attempts to do so until such time as the Serializable attribute can be dropped. + */ + + private void writeObject(java.io.ObjectOutputStream out) throws IOException + { + throw new UnsupportedOperationException("Serialization is not supported"); + } + + private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException + { + throw new UnsupportedOperationException("Serialization is not supported"); + } + + } diff --git a/src/main/java/org/apache/commons/net/ntp/TimeStamp.java b/src/main/java/org/apache/commons/net/ntp/TimeStamp.java index d31dafb..ec66ab7 100644 --- a/src/main/java/org/apache/commons/net/ntp/TimeStamp.java +++ b/src/main/java/org/apache/commons/net/ntp/TimeStamp.java @@ -18,6 +18,7 @@ package org.apache.commons.net.ntp; +import java.io.IOException; import java.text.DateFormat; import java.text.SimpleDateFormat; import java.util.Date; @@ -449,4 +450,19 @@ public class TimeStamp implements java.io.Serializable, Comparable<TimeStamp> return utcFormatter.format(ntpDate); } + /* + Serialization is unnecessary for this class. + Reject attempts to do so until such time as the Serializable attribute can be dropped. + */ + + private void writeObject(java.io.ObjectOutputStream out) throws IOException + { + throw new UnsupportedOperationException("Serialization is not supported"); + } + + private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException + { + throw new UnsupportedOperationException("Serialization is not supported"); + } + } diff --git a/src/main/java/org/apache/commons/net/util/ListenerList.java b/src/main/java/org/apache/commons/net/util/ListenerList.java index 2db5a3a..de1bb09 100644 --- a/src/main/java/org/apache/commons/net/util/ListenerList.java +++ b/src/main/java/org/apache/commons/net/util/ListenerList.java @@ -63,4 +63,19 @@ public class ListenerList implements Serializable, Iterable<EventListener> listeners.remove(listener); } + /* + Serialization is unnecessary for this class. + Reject attempts to do so until such time as the Serializable attribute can be dropped. + */ + + private void writeObject(java.io.ObjectOutputStream out) throws IOException + { + throw new UnsupportedOperationException("Serialization is not supported"); + } + + private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException + { + throw new UnsupportedOperationException("Serialization is not supported"); + } + }
