Regarding AdbaType.JAVA_OBJECT
Dave Cramer
davecramer at gmail.com
Wed Sep 19 13:47:38 UTC 2018
Alexander,
Actually given that PostgreSQL is an OO database, it is probably the only
db that would make use of it!
You might want to reconsider your position
Dave Cramer
On Wed, 19 Sep 2018 at 09:39, Alexander Kjäll <alexander.kjall at gmail.com>
wrote:
> My personal opinion is that this feature isn't widely in use and is very
> hard or maybe impossible to implement without deserialization security
> holes, so the gains from dropping it outweights the loss of functionality.
>
> Just my 0.02€
>
> //Alex
>
> On 17. sep. 2018 21:36, Douglas Surber wrote:
> > JAVA_OBJECT is included in AdbaType solely because it is in JDBCTypes
> and JDBCType. How and if it is implemented is entirely up to the database
> vendor and/or driver implementer. Or we can remove it.
> >
> > Douglas
> >
> >> On Sep 17, 2018, at 12:08 PM, Alexander Kjäll <
> alexander.kjall at gmail.com> wrote:
> >>
> >> Hi
> >>
> >> I would like to ask about how the JAVA_OBJECT type is supposed to be
> >> implemented.
> >>
> >> One way to do it would be to use java's built in serialization, but
> >> that's impossible without creating a serialization security hole in
> >> the driver, same if I serialize it to xml/json and let arbitrary types
> >> be deserialized.
> >>
> >> One way to maybe implement it without security holes is to let the end
> >> user register classes that are allowed, but that feels very clunky.
> >>
> >> I'm also questioning the usefulness of this feature in regard to all
> >> the serialization security holes java are suffering from, is it really
> >> needed or can it be dropped?
> >>
> >> best regards
> >> Alexander Kjäll
>
>
More information about the jdbc-spec-discuss
mailing list