peter.firmstone at zeus.net.au
Thu Feb 4 00:40:22 UTC 2016
In light of recent examples of gadget deserialization attacks, I believe we need an OIS SPI.
While OIS functionality can be overridden, there's no way to ensure this can be done for all uses of OIS.
I believe this is necessary for security reasons, to allow Serialization to be completely disabled or restricted to only those classes in use by an application or reimplemented to allow input validation.
An OIS SPI would be a very simple straightforward solution.
Sent from my Samsung device.
More information about the core-libs-dev