On Wed, 15 Dec 2021 at 00:30, Gary Gregory <garydgreg...@gmail.com> wrote: > > Why not import java.io.ObjectOutputStream instead of always using the fully > qualified class name?
Because I copy-pasted the signature. Feel free to fix it. > Gary > > ---------- Forwarded message --------- > From: <s...@apache.org> > Date: Tue, Dec 14, 2021 at 7:19 PM > Subject: [commons-net] branch master updated: Prevent serialization > To: comm...@commons.apache.org <comm...@commons.apache.org> > > > This is an automated email from the ASF dual-hosted git repository. > > sebb pushed a commit to branch master > in repository https://gitbox.apache.org/repos/asf/commons-net.git > > > The following commit(s) were added to refs/heads/master by this push: > new 991b775 Prevent serialization > 991b775 is described below > > commit 991b775f2052e150c4c16d1c1cd2073021d40c2e > Author: Sebb <s...@apache.org> > AuthorDate: Wed Dec 15 00:18:48 2021 +0000 > > Prevent serialization > > It is not useful and is unlikely to work properly. > --- > src/changes/changes.xml | 4 ++++ > .../apache/commons/net/ProtocolCommandSupport.java | 18 > +++++++++++++++++- > .../java/org/apache/commons/net/ftp/FTPFile.java | 20 > +++++++++++++++++++- > .../java/org/apache/commons/net/ntp/TimeStamp.java | 16 ++++++++++++++++ > .../org/apache/commons/net/util/ListenerList.java | 15 +++++++++++++++ > 5 files changed, 71 insertions(+), 2 deletions(-) > > diff --git a/src/changes/changes.xml b/src/changes/changes.xml > index 95fbce2..d388412 100644 > --- a/src/changes/changes.xml > +++ b/src/changes/changes.xml > @@ -92,6 +92,10 @@ The <action> type attribute can be add,update,fix,remove. > [FTP] Add FTPFile.getTimestampInstant(). > </action> > <!-- UPDATE --> > + <action type="update" dev="sebb"> > + Prevent serialization of the 4 classes that implement Serializable. > + It is not useful and is unlikely to work properly. > + </action> > <action type="update" dev="ggregory" due-to="Dependabot"> > Bump junit from 4.13.1 to 4.13.2 #74. > </action> > diff --git > a/src/main/java/org/apache/commons/net/ProtocolCommandSupport.java > b/src/main/java/org/apache/commons/net/ProtocolCommandSupport.java > index c2e409d..9057d55 100644 > --- a/src/main/java/org/apache/commons/net/ProtocolCommandSupport.java > +++ b/src/main/java/org/apache/commons/net/ProtocolCommandSupport.java > @@ -17,6 +17,8 @@ > > package org.apache.commons.net; > > +import java.io.IOException; > +import java.io.ObjectStreamException; > import java.io.Serializable; > import java.util.EventListener; > > @@ -131,5 +133,19 @@ public class ProtocolCommandSupport implements > Serializable > listeners.removeListener(listener); > } > > -} > + /* > + Serialization is unnecessary for this class. > + Reject attempts to do so until such time as the Serializable > attribute can be dropped. > + */ > > + private void writeObject(java.io.ObjectOutputStream out) throws > IOException > + { > + throw new UnsupportedOperationException("Serialization is not > supported"); > + } > + > + private void readObject(java.io.ObjectInputStream in) throws > IOException, ClassNotFoundException > + { > + throw new UnsupportedOperationException("Serialization is not > supported"); > + } > + > +} > diff --git a/src/main/java/org/apache/commons/net/ftp/FTPFile.java > b/src/main/java/org/apache/commons/net/ftp/FTPFile.java > index b7ea2fe..fa45ccb 100644 > --- a/src/main/java/org/apache/commons/net/ftp/FTPFile.java > +++ b/src/main/java/org/apache/commons/net/ftp/FTPFile.java > @@ -17,6 +17,7 @@ > > package org.apache.commons.net.ftp; > > +import java.io.IOException; > import java.io.Serializable; > import java.time.Instant; > import java.util.Calendar; > @@ -82,7 +83,7 @@ public class FTPFile implements Serializable { > private Calendar calendar; > > /** If this is null, then list entry parsing failed. */ > - private final boolean[] permissions[]; // e.g. > _permissions[USER_ACCESS][READ_PERMISSION] > + private final boolean[][] permissions; // e.g. > _permissions[USER_ACCESS][READ_PERMISSION] > > /** Creates an empty FTPFile. */ > public FTPFile() { > @@ -475,4 +476,21 @@ public class FTPFile implements Serializable { > public String toString() { > return getRawListing(); > } > + > + /* > + Serialization is unnecessary for this class. > + Reject attempts to do so until such time as the Serializable > attribute can be dropped. > + */ > + > + private void writeObject(java.io.ObjectOutputStream out) throws > IOException > + { > + throw new UnsupportedOperationException("Serialization is not > supported"); > + } > + > + private void readObject(java.io.ObjectInputStream in) throws > IOException, ClassNotFoundException > + { > + throw new UnsupportedOperationException("Serialization is not > supported"); > + } > + > + > } > diff --git a/src/main/java/org/apache/commons/net/ntp/TimeStamp.java > b/src/main/java/org/apache/commons/net/ntp/TimeStamp.java > index d31dafb..ec66ab7 100644 > --- a/src/main/java/org/apache/commons/net/ntp/TimeStamp.java > +++ b/src/main/java/org/apache/commons/net/ntp/TimeStamp.java > @@ -18,6 +18,7 @@ package org.apache.commons.net.ntp; > > > > +import java.io.IOException; > import java.text.DateFormat; > import java.text.SimpleDateFormat; > import java.util.Date; > @@ -449,4 +450,19 @@ public class TimeStamp implements > java.io.Serializable, Comparable<TimeStamp> > return utcFormatter.format(ntpDate); > } > > + /* > + Serialization is unnecessary for this class. > + Reject attempts to do so until such time as the Serializable > attribute can be dropped. > + */ > + > + private void writeObject(java.io.ObjectOutputStream out) throws > IOException > + { > + throw new UnsupportedOperationException("Serialization is not > supported"); > + } > + > + private void readObject(java.io.ObjectInputStream in) throws > IOException, ClassNotFoundException > + { > + throw new UnsupportedOperationException("Serialization is not > supported"); > + } > + > } > diff --git a/src/main/java/org/apache/commons/net/util/ListenerList.java > b/src/main/java/org/apache/commons/net/util/ListenerList.java > index 2db5a3a..de1bb09 100644 > --- a/src/main/java/org/apache/commons/net/util/ListenerList.java > +++ b/src/main/java/org/apache/commons/net/util/ListenerList.java > @@ -63,4 +63,19 @@ public class ListenerList implements Serializable, > Iterable<EventListener> > listeners.remove(listener); > } > > + /* > + Serialization is unnecessary for this class. > + Reject attempts to do so until such time as the Serializable > attribute can be dropped. > + */ > + > + private void writeObject(java.io.ObjectOutputStream out) throws > IOException > + { > + throw new UnsupportedOperationException("Serialization is not > supported"); > + } > + > + private void readObject(java.io.ObjectInputStream in) throws > IOException, ClassNotFoundException > + { > + throw new UnsupportedOperationException("Serialization is not > supported"); > + } > + > } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
