[
https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15007015#comment-15007015
]
Christopher Schultz commented on IO-487:
----------------------------------------
I made a suggestion on the tomcat-user mailing list where we have been
discussing the same thing, and are likely to use your implementation once it's
complete: allow for the [Whatever]InputStream to be put into a mode where it
merely reports (via log @ INFO level) which classes would have been rejected.
This will allow a developer to run in this mode to ensure that there aren't any
classes being used that are expected to be deserialized during legitimate uses
of the application, but aren't matching the currently-configured "accept"
criteria.
Yes, this can be done by watching for
UnsupportedOperationException/InvalidClassException, but it will require the
developer to re-build and re-try many times to get all of the various classes
taken care of. With this feature, someone could enable the logging, run the
application normally, and end up with a complete list of classes that need to
be "allowed" by grepping the log file.
> SafeObjectInputStream contribution - restrict which classes can be
> deserialized
> -------------------------------------------------------------------------------
>
> Key: IO-487
> URL: https://issues.apache.org/jira/browse/IO-487
> Project: Commons IO
> Issue Type: Improvement
> Components: Utilities
> Affects Versions: 2.4
> Reporter: Bertrand Delacretaz
> Priority: Minor
> Labels: patch
> Fix For: 2.5
>
> Attachments: IO-487-2.patch, IO-487-accept-reject.patch,
> IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch,
> IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch,
> IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288
> code to commons-io. I'll attach a patch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
