...
Non-Compliant Code Example
This non-compliant code deserializes a byte array without first validating what classes will be created and without using a SecurityManager.
| Code Block | ||
|---|---|---|
| ||
class DeserializeExample {
public static Object deserialize(byte[] buffer) throws IOException, ClassNotFoundException {
Object ret = null;
try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer)) {
try (ObjectInputStream ois = new ObjectInputStream(bais)) {
ret = ois.readObject();
}
}
return ret;
}
} |
...
http://www.ibm.com/developerworks/library/se-lookahead/