...
This noncompliant code example declares a serializable File object in the class BadSer. The serialized form of the object exposes the file path, which can be altered. When the object is deserialized, the operations will be performed using the altered path, which can cause the wrong file to be read or modified Ser.
| Code Block | ||
|---|---|---|
| ||
final class BadSerSer implements Serializable { File f; public BadSerSer() throws FileNotFoundException { f = new File("c:\\filepath\\filename"); } } |
The serialized form of the object exposes the file path, which can be altered. When the object is deserialized, the operations will be performed using the altered path, which can cause the wrong file to be read or modified.
Compliant Solution (Not Implementing Serializable)
...