Instant.readObject方法"Defend[s] against malicious streams"是什么意思?
What does it mean that Instant.readObject method "Defend[s] against malicious streams"?
阅读 Instant class 的源代码,我碰到了这个方法
/**
* Defend against malicious streams.
*
* @param s the stream to read
* @throws InvalidObjectException always
*/
private void readObject(ObjectInputStream s) throws InvalidObjectException {
throw new InvalidObjectException("Deserialization via serialization delegate");
}
描述让我很好奇。什么是 "malicious stream"?这种方法是如何防御的?
Instant 和其他 java.time 类,使用包范围委托 - java.time.Ser 进行序列化。请参阅 writeReplace 方法以了解如何创建委托。
因此,调用 readObject 方法的唯一方法是有人传入恶意流(为尝试创建无效对象而创建的唯一目的)。异常确保此类恶意流被阻止。
一般来说,任何时候使用序列化委托,你都应该考虑像这样阻塞readObject。
"Effective Java" 的作者 Joshua Bloch 介绍了 his idea 关于序列化代理模式。您的问题的背景非常有启发性。
With this writeReplace method in place, the serialization system will
never generate a serialized instance of the enclosing class, but an
attacker might fabricate one in an attempt to violate the class'
invariants. To guarantee that such an attack would fail, merely add this
readObject method to the enclosing class...
// readObject method for the serialization proxy pattern
private void readObject(ObjectInputStream stream) throws InvalidObjectException {
throw new InvalidObjectException("Proxy required");
}
阅读 Instant class 的源代码,我碰到了这个方法
/**
* Defend against malicious streams.
*
* @param s the stream to read
* @throws InvalidObjectException always
*/
private void readObject(ObjectInputStream s) throws InvalidObjectException {
throw new InvalidObjectException("Deserialization via serialization delegate");
}
描述让我很好奇。什么是 "malicious stream"?这种方法是如何防御的?
Instant 和其他 java.time 类,使用包范围委托 - java.time.Ser 进行序列化。请参阅 writeReplace 方法以了解如何创建委托。
因此,调用 readObject 方法的唯一方法是有人传入恶意流(为尝试创建无效对象而创建的唯一目的)。异常确保此类恶意流被阻止。
一般来说,任何时候使用序列化委托,你都应该考虑像这样阻塞readObject。
"Effective Java" 的作者 Joshua Bloch 介绍了 his idea 关于序列化代理模式。您的问题的背景非常有启发性。
With this writeReplace method in place, the serialization system will never generate a serialized instance of the enclosing class, but an attacker might fabricate one in an attempt to violate the class' invariants. To guarantee that such an attack would fail, merely add this readObject method to the enclosing class...
// readObject method for the serialization proxy pattern
private void readObject(ObjectInputStream stream) throws InvalidObjectException {
throw new InvalidObjectException("Proxy required");
}