Thanks Chris,
Over the last year I've been working on reimplimenting OIS, I've been able to
retain serial form compatibility, but have made some changes to deserialization
api.
With the reimpl, existing Serializable objects that are stateless or those with
only primitive fields are allowed to
Peter,
I, along with others within Oracle, are interested in this general
area. We are tied up with other issues at the moment, but I hope to
get this within the next couple of weeks.
-Chris.
On 04/02/16 00:40, Peter Firmstone wrote:
In light of recent examples of gadget deserialization attack
In light of recent examples of gadget deserialization attacks, I believe we
need an OIS SPI.
While OIS functionality can be overridden, there's no way to ensure this can be
done for all uses of OIS.
I believe this is necessary for security reasons, to allow Serialization to be
completely disab
