ObjectInputStream SPI

Peter Firmstone peter.firmstone at zeus.net.au
Thu Feb 4 00:40:22 UTC 2016

In light of recent examples of gadget deserialization attacks, I believe we need an OIS SPI.

While OIS functionality can be overridden, there's no way to ensure this can be done for all uses of OIS.

I believe this is necessary for security reasons, to allow Serialization to be completely disabled or restricted to only those classes in use by an application or reimplemented to allow input validation.

An OIS SPI would be a very simple straightforward solution.


Peter Firmstone.

Sent from my Samsung device.

More information about the core-libs-dev mailing list