On Fri, 18 Jan 2019 at 01:15, Marco Pivetta wrote:
> On Fri, Jan 18, 2019 at 2:13 AM Marcos Passos
> wrote:
> > But it closes for extension preventing the serialization of instances not
> > whitelisted. It may work for @internal or package private classes, but
> not
> > for public classes.
> >
>
On Fri, Jan 18, 2019 at 2:13 AM Marcos Passos
wrote:
> How would you fix this example, then? Perhaps we should add more examples
>> in the docs.
>>
>
> But it closes for extension preventing the serialization of instances not
> whitelisted. It may work for @internal or package private classes, bu
>
> How would you fix this example, then? Perhaps we should add more examples
> in the docs.
>
But it closes for extension preventing the serialization of instances not
whitelisted. It may work for @internal or package private classes, but not
for public classes.
Em qui, 17 de jan de 2019 às 23:0
On Fri, Jan 18, 2019 at 2:00 AM Marcos Passos
wrote:
> How would you fix this example, then? Perhaps we should add more examples
> in the docs.
>
You'd include all expected child classes in the list of `allowed_classes`.
As for the docs, feel free to go ahead and edit them directly :+1:
Marco P
How would you fix this example, then? Perhaps we should add more examples
in the docs.
Em qui, 17 de jan de 2019 às 22:53, Marco Pivetta
escreveu:
> On Fri, Jan 18, 2019 at 1:50 AM Marcos Passos
> wrote:
>
>> Hi Marco,
>>
>> Also: nothing denies an attacker from defining a subtype to your class
On Fri, Jan 18, 2019 at 1:50 AM Marcos Passos
wrote:
> Hi Marco,
>
> Also: nothing denies an attacker from defining a subtype to your class,
>> then passing a malicious instance to your application.
>
>
> Fact, but it also reveals a fragility in the solution in the sense that
> one has to opt bet
Hi Marco,
Also: nothing denies an attacker from defining a subtype to your class,
> then passing a malicious instance to your application.
Fact, but it also reveals a fragility in the solution in the sense that one
has to opt between flexible design or security.
Em qui, 17 de jan de 2019 às 22:
On Fri, Jan 18, 2019 at 12:49 AM Marcos Passos
wrote:
> Hi internals,
>
> Today I stumbled upon a limitation when implementing the unserialize method
> of a serializable class which depends on an abstraction also serializable.
> Currently, there is no way to unserialize an object specifying a par
Hi internals,
Today I stumbled upon a limitation when implementing the unserialize method
of a serializable class which depends on an abstraction also serializable.
Currently, there is no way to unserialize an object specifying a parent
class in the allowed_classes option:
class SerializableBase
