[
https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15006574#comment-15006574
]
Emmanuel Bourg commented on IO-487:
-----------------------------------
The API looks good to me. I'd suggest adding the name of the class rejected to
the InvalidClassException (there is a constructor for that).
I have one question regarding the accept/reject logic though. If I read the
{{validateClassName}} method properly, any class is rejected unless it's
explicitly accepted. Calling {{reject()}} has no real effect on the end result.
The logic should be adjusted a bit I think, I'm not sure but maybe something
like this:
- if reject is called but not accept, accept everything but the classes rejected
- if accept is called but not reject, reject everything but the classes accepted
- if both accept and reject are called, reject everything but the classes
accepted (it sounds safer this way)
> SafeObjectInputStream contribution - restrict which classes can be
> deserialized
> -------------------------------------------------------------------------------
>
> Key: IO-487
> URL: https://issues.apache.org/jira/browse/IO-487
> Project: Commons IO
> Issue Type: Improvement
> Components: Utilities
> Affects Versions: 2.4
> Reporter: Bertrand Delacretaz
> Priority: Minor
> Labels: patch
> Fix For: 2.5
>
> Attachments: IO-487-2.patch, IO-487-accept-reject.patch,
> IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch,
> IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288
> code to commons-io. I'll attach a patch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
