...
| Code Block | ||
|---|---|---|
| ||
final class Ser implements Serializable {
transient File f;
public Ser() throws FileNotFoundException {
f = new File("c:\\filepath\\filename");
}
}
|
...
Applicability
Deserializing direct handles to system resources can allow the modification of the resources being referred to.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SEC61-JG | high | probable | low | P18 | L1 |
Automated Detection
Automated detection is not feasible.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[Sun 2006] "Serialization specification"Oracle 2012] Java Object Serialization
...