Regarding AdbaType.JAVA_OBJECT
Alexander Kjäll
alexander.kjall at gmail.com
Wed Sep 19 13:39:28 UTC 2018
My personal opinion is that this feature isn't widely in use and is very
hard or maybe impossible to implement without deserialization security
holes, so the gains from dropping it outweights the loss of functionality.
Just my 0.02€
//Alex
On 17. sep. 2018 21:36, Douglas Surber wrote:
> JAVA_OBJECT is included in AdbaType solely because it is in JDBCTypes and JDBCType. How and if it is implemented is entirely up to the database vendor and/or driver implementer. Or we can remove it.
>
> Douglas
>
>> On Sep 17, 2018, at 12:08 PM, Alexander Kjäll <alexander.kjall at gmail.com> wrote:
>>
>> Hi
>>
>> I would like to ask about how the JAVA_OBJECT type is supposed to be
>> implemented.
>>
>> One way to do it would be to use java's built in serialization, but
>> that's impossible without creating a serialization security hole in
>> the driver, same if I serialize it to xml/json and let arbitrary types
>> be deserialized.
>>
>> One way to maybe implement it without security holes is to let the end
>> user register classes that are allowed, but that feels very clunky.
>>
>> I'm also questioning the usefulness of this feature in regard to all
>> the serialization security holes java are suffering from, is it really
>> needed or can it be dropped?
>>
>> best regards
>> Alexander Kjäll
More information about the jdbc-spec-discuss
mailing list