Explicit Serialization API and Security
Peter Levart
peter.levart at gmail.com
Mon Jan 5 15:01:54 UTC 2015
On 01/05/2015 03:17 PM, David M. Lloyd wrote:
>> Would something like this prevent Finalizer attacks?
>>
>> - leave finalization registration the way it is (at object allocation
>> time).
This was written incorrectly: "after Object default constructor completes"
>> - provide internal API with which a previously registered object can be
>> de-registered
>> - deserialization infrastructure de-registers the instances that fail
>> deserialization
>
> How about simply forbidding classes with finalizers from being
> serialized or deserialized with this mechanism? Finalizers never
> really work the way you want anyway.
>
> Seems a better option than essentially doubling (or more) the end-user
> complexity to me.
This is invisible to end-user. Just internal mechanics. I thought about
this for some more, which I explained in a followup post.
Regards, peter
More information about the core-libs-dev
mailing list