...
For the purposes of complying with SER13-J, it is permitted to to assume that, if an ObjectInputStream contains a whitelist, then control will pass to the readObject or readResolve method of a class C only if C is on the whitelist. In other words, class C does not need to check that it appears on the whitelist; it only needs to check that a whitelist exists. This eliminates the need to perform a redundant check against the whitelist, and it enables compatibility with a greater range of whitelist implementations.
...
In this compliant solution, the readObject() method throws an exception unless the deserialization is protected by a whitelist. Note that this compliant solution for SER13-J is complementary to the compliant solution in SER12-J. In the compliant solution for SER12-J, the source code location that invokes deserialization is modified to use a custom subclass of ObjectInputStream. This subclass overrides the resolveClass() method to check whether the class of the serialized object is whitelisted before that class's readObject() method gets called. In contrast, in the compliant solution below for SER13-J, the presence of a whitelist is checked inside the readObject() method of the dangerous serializable class.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
import java.io.*;
class OpenedFile implements Serializable {
String filename;
BufferedReader reader;
boolean isInitialized;
public OpenedFile(String _filename) throws FileNotFoundException {
filename = _filename;
isInitialized = false;
}
public void init() throws FileNotFoundException {
reader = new BufferedReader(new FileReader(filename));
isInitialized = true;
}
private void writeObject(ObjectOutputStream out) throws IOException {
out.writeUTF(filename);
}
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
filename = in.readUTF();
isInitialized = false;
}
} |
...