[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15006574#comment-15006574 ]
Emmanuel Bourg commented on IO-487: ----------------------------------- The API looks good to me. I'd suggest adding the name of the class rejected to the InvalidClassException (there is a constructor for that). I have one question regarding the accept/reject logic though. If I read the {{validateClassName}} method properly, any class is rejected unless it's explicitly accepted. Calling {{reject()}} has no real effect on the end result. The logic should be adjusted a bit I think, I'm not sure but maybe something like this: - if reject is called but not accept, accept everything but the classes rejected - if accept is called but not reject, reject everything but the classes accepted - if both accept and reject are called, reject everything but the classes accepted (it sounds safer this way) > SafeObjectInputStream contribution - restrict which classes can be > deserialized > ------------------------------------------------------------------------------- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities > Affects Versions: 2.4 > Reporter: Bertrand Delacretaz > Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487-2.patch, IO-487-accept-reject.patch, > IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch, > IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)