...
| Code Block | ||||
|---|---|---|---|---|
| ||||
import java.io.*;
class OpenedFile implements Serializable {
String filename;
BufferedReader reader;
boolean isInitialized;
public OpenedFile(String _filename) {
filename = _filename;
isInitialized = false;
}
public void init() throws FileNotFoundException {
reader = new BufferedReader(new FileReader(filename));
isInitialized = true;
}
private void writeObject(ObjectOutputStream out) throws IOException {
out.writeUTF(filename);
}
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
filename = in.readUTF();
isInitialized = false;
}
} |
Related Vulnerabilities
CERT Vulnerability #576313 describes a family of exploitable vulnerabilities that arise from violating this rule.
Risk Assessment
The severity of violations of this rule depend on the nature of the potentially dangerous operations performed. If only mildly dangerous operations are performed, the risk might be limited to denial-of-service (DoS) attacks. At the other extreme, remote code execution is possible if attacker-supplied input is supplied to methods such as Runtime.exec (either directly or via reflection).
...