ObjectInputStream SPI
Chris Hegarty
chris.hegarty at oracle.com
Tue Feb 9 12:20:38 UTC 2016
Peter,
I, along with others within Oracle, are interested in this general
area. We are tied up with other issues at the moment, but I hope to
get this within the next couple of weeks.
-Chris.
On 04/02/16 00:40, Peter Firmstone wrote:
> In light of recent examples of gadget deserialization attacks, I believe we need an OIS SPI.
>
> While OIS functionality can be overridden, there's no way to ensure this can be done for all uses of OIS.
>
> I believe this is necessary for security reasons, to allow Serialization to be completely disabled or restricted to only those classes in use by an application or reimplemented to allow input validation.
>
> An OIS SPI would be a very simple straightforward solution.
>
> Regards,
>
> Peter Firmstone.
>
> Sent from my Samsung device.
>
>
More information about the core-libs-dev
mailing list