alexander.kjall at gmail.com
Mon Sep 17 19:08:11 UTC 2018
I would like to ask about how the JAVA_OBJECT type is supposed to be
One way to do it would be to use java's built in serialization, but
that's impossible without creating a serialization security hole in
the driver, same if I serialize it to xml/json and let arbitrary types
One way to maybe implement it without security holes is to let the end
user register classes that are allowed, but that feels very clunky.
I'm also questioning the usefulness of this feature in regard to all
the serialization security holes java are suffering from, is it really
needed or can it be dropped?
More information about the jdbc-spec-discuss