Explicit Serialization API and Security

Peter Levart peter.levart at gmail.com
Mon Jan 5 15:01:54 UTC 2015

On 01/05/2015 03:17 PM, David M. Lloyd wrote:
>> Would something like this prevent Finalizer attacks?
>> - leave finalization registration the way it is (at object allocation
>> time).

This was written incorrectly: "after Object default constructor completes"

>> - provide internal API with which a previously registered object can be
>> de-registered
>> - deserialization infrastructure de-registers the instances that fail
>> deserialization
> How about simply forbidding classes with finalizers from being 
> serialized or deserialized with this mechanism?  Finalizers never 
> really work the way you want anyway.
> Seems a better option than essentially doubling (or more) the end-user 
> complexity to me. 

This is invisible to end-user. Just internal mechanics. I thought about 
this for some more, which I explained in a followup post.

Regards, peter

More information about the core-libs-dev mailing list