...
This non-compliant code deserializes a byte array without first validating what classes will be created and without using a SecurityManager.
| Code Block | ||||
|---|---|---|---|---|
| ||||
class DeserializeExample {
public static Object deserialize(byte[] buffer) throws IOException, ClassNotFoundException {
Object ret = null;
try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer)) {
try (ObjectInputStream ois = new ObjectInputStream(bais)) {
ret = ois.readObject();
}
}
return ret;
}
} |
...