uschindler commented on code in PR #16138:
URL: https://github.com/apache/lucene/pull/16138#discussion_r3328584549
##########
lucene/spatial3d/src/java/org/apache/lucene/spatial3d/geom/SerializableObject.java:
##########
@@ -216,7 +216,13 @@ static Class<?> readClass(final InputStream inputStream)
return StandardObjects.CODE_REGISTRY.get(index);
} else {
String className = readString(inputStream);
- return Class.forName(className);
+ // Load without initializing and confirm the named class is actually a
SerializableObject
+ // before it can be instantiated, so a crafted stream cannot load
arbitrary classes.
+ Class<?> clazz = Class.forName(className, false,
SerializableObject.class.getClassLoader());
Review Comment:
Instead of doing the isAssignable check, it should maybe directly cast the
class:
```java
Class<? extends SerializableObject> clazz =
LOOKUP.findClass(className).cast(SerializableObject.class);
```
Then you do not need to do any extra checks and the Exception is an expected
one.
Also better change all method signatures like the return values of this
method and the readObject parameters to take `Class<? extends
SerializableObject>` instead of `Class<?>`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
