...
According to the Java API [API 20062011], the writeUnshared() method:
writes Writes an "unshared" object to the ObjectOutputStream. This method is identical to writeObject, except that it always writes the given object as a new, unique object in the stream (as opposed to a back-reference pointing to a previously serialized instance).
Correspondingly, the readUnshared() method:
reads Reads an "unshared" object from the ObjectInputStream. This method is identical to readObject, except that it prevents subsequent calls to readObject and readUnshared from returning additional references to the deserialized instance obtained via this call.
...
| Code Block | ||
|---|---|---|
| ||
String filename = "serial";
try {
System.out.println("Serializing using writeObject");
ObjectOutputStream oos = new ObjectOutputStream
(new FileOutputStream(filename));
oos.writeObject(jane);
oos.close();
System.out.println("Deserializing using readObject");
ObjectInputStream ois = new ObjectInputStream
(new FileInputStream(filename));
Professor jane2 = (Professor)ois.readObject();
ois.close();
System.out.println("checkTutees returns: " +
jane2.checkTutees());
// prints "checkTutees returns: true"
} catch(Exception e) {
System.out.println("Exception during deserialization" + e);
}
|
...
Applicability
Using the writeUnshared() and readUnshared() methods may produce unexpected results.
...
Guideline
...
Severity
...
Likelihood
...
Remediation Cost
...
Priority
...
Level
...
MSC62-JG
...
medium
...
low
...
...
P6
...
L2
Automated Detection
Automated detection is straightforward.
...
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
Class Classes ObjectOutputStream and Class ObjectInputStream |