rzo1 opened a new pull request, #1029: URL: https://github.com/apache/opennlp/pull/1029
Apply a JEP 290 ObjectInputFilter to SvmDoccatModel.deserialize() that allow-lists only the classes reachable from a legitimate model graph and bounds graph depth, references, and array length. Foreign payloads are now rejected with InvalidClassException before readObject() returns, rather than after the cast. Add a public DeserializationLimits record and a deserialize(InputStream, DeserializationLimits) overload so callers with unusually large models can raise the resource limits without touching the class allow-list. The original deserialize(InputStream) signature is preserved and now delegates to DeserializationLimits.DEFAULT. FYI @subbudvk Please have a look. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
