...
This noncompliant code example declares a serializable File object in the class BadSer. The serialized form of the object exposes the file path, which can be altered. When the object is deserialized, the operations will be performed using the altered path, which can cause the wrong file to be read or modified.
| Code Block | ||
|---|---|---|
| ||
final class BadSer implements Serializable {
File f;
public BadSer() throws FileNotFoundException {
f = new File("c:\\filepath\\filename");
}
}
|
...