Every serializable container class that has private mutable sub-objects must defensively copy these sub-objects in the readObject method. An adversary can append extra references to the sub-objects to generate a new byte stream. When deserialized, this byte stream will allow allows the creation of a container instance whose internal sub-object references will be attacker controllable. This would in turn allow Consequently, this allows the instance of the container class to mutate and violate its guarantees.
...
| Code Block | ||
|---|---|---|
| ||
private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
ois.defaultReadObject();
//defensively copy the mutable component
date = new Date(date.getTime());
//perform validation if necessary
}
|
| Wiki Markup |
|---|
Note thatThere there is no need to copy immutable sub-objects. Also, avoid using the sub-object's {{clone()}} method sincebecause it can be overridden when the sub-object's class is non-final. The sub-objects ({{date}}) themselves must be non-final so that defensive copying can occur. It is also inadvisable to use the {{writeUnshared}} and {{readUnshared}} methods as an alternative \[[Bloch 08|AA. Java References#Bloch 08]\]. |
...