...
| Code Block | ||
|---|---|---|
| ||
class WeaponStore implements Serializable {
int noOfWeapons = 10; // Total number of weapons
}
public class GameWeapon implements Serializable {
WeaponStore ws = new WeaponStore();
private static final ObjectStreamField[] serialPersistentFields
= {new ObjectStreamField("ws""ws", WeaponStore.class)};
private void readObject(ObjectInputStream ois) throws IOException {
try {
ObjectInputStream.GetField gf = ois.readFields();
this.ws = (WeaponStore) gf.get("ws""ws", ws);
} catch (ClassNotFoundException e) { /* Forward to handler */ }
}
private void writeObject(ObjectOutputStream oos) throws IOException {
ObjectOutputStream.PutField pf = oos.putFields();
pf.put("ws""ws", ws);
oos.writeFields();
}
public String toString() {
return String.valueOf(ws);
}
}
|
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[API 06|AA. Java References#API 06]\] \[[Sun 06|AA. Java References#Sun 06]\] ""Serialization specification"", ""1.5 Defining Serializable Fields for a Class"" and ""1.7 Accessing Serializable Fields of a Class"" \[[Bloch 08|AA. Java References#Bloch 08]\] Item 74: ""Implement serialization judiciously"" \[[Harold 06|AA. Java References#Harold 06]\] 13.7.5. serialPersistentFields \[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 589|http://cwe.mitre.org/data/definitions/589.html] ""Call to Non-ubiquitous API"" |
...
14. Serialization (SER) 14. Serialization (SER) SER01-J. Avoid memory and resource leaks during serialization