Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: wordsmithing

...

In this compliant solution, the readObject() method throws an exception unless the deserialization is protected by a whitelist.  Note that this compliant solution for SER13-J is complementary to the compliant solution in SER12-J.  In the compliant solution for SER12-J, the source code location that invokes deserialization is modified to use a custom subclass of ObjectInputStream.  This subclass overrides the resolveClass() method to check whether the class of the serialized object is whitelisted before that class's readObject() method gets called.  In contrast, in the following compliant solution below for SER13-J, the presence of a whitelist is checked inside the readObject() method of the dangerous serializable class.

...