...
| Code Block | ||
|---|---|---|
| ||
final class Ser implements Serializable {
private File f;
public Ser() throws FileNotFoundException {
f = new File("c:\\filepath\\filename");
}
}
|
...
| Code Block | ||
|---|---|---|
| ||
final class Ser {
private File f;
public Ser() throws FileNotFoundException {
f = new File("c:\\filepath\\filename");
}
}
|
...
This compliant solution declares the File object transient. Consequently, the The file path is not serialized with the rest of the class and consequently is not exposed to attackers.
| Code Block | ||
|---|---|---|
| ||
final class Ser implements Serializable {
private transient File f;
public Ser() throws FileNotFoundException {
f = new File("c:\\filepath\\filename");
}
}
|
...
Deserializing direct handles to system resources can allow the modification of the resources being referred to.
Bibliography
...