dongyikuan919 commented on issue #16287: URL: https://github.com/apache/dubbo/issues/16287#issuecomment-4534400502
This looks like a real gap in where the Serializable check is enforced. The important point is that the current guard is attached to `getDefaultSerializer()`, but `writeReplace` is resolved earlier in `SerializerFactory#getSerializer(Class)`. So from the caller side the policy is not "all user classes must pass Serializable check before serialization", but only "classes that fall through to the default serializer must pass it". For a fix, I would be careful about only checking the original class. A `writeReplace()` method can also return a replacement object with a different runtime type, so the test matrix probably needs both cases: 1. original class does not implement `Serializable`, has `writeReplace()` returning `this`; 2. original class has `writeReplace()` returning another non-serializable replacement type; 3. valid replacement path still works when both the original/replacement type satisfy the configured checker policy. If the check is moved/duplicated before the `writeReplace` branch, it would also be worth confirming it does not break existing allowed Hessian replacement patterns. But I agree that the current sender/receiver behavior is inconsistent and should be covered by a regression test. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
