Java Reference
In-Depth Information
The serialized form of the object exposes the file path, which can be altered. When
the object is deserialized, the operations are performed using the altered path, which can
cause the wrong file to be read or modified.
Compliant Solution (Not Implementing Serializable)
This compliant solution shows a final class Ser that does not implement
java.io.Serializable . Consequently, the File object cannot be serialized.
Click here to view code image
final class Ser {
File f;
public Ser() throws FileNotFoundException {
f = new File("c:\\filepath\\filename");
}
}
Compliant Solution (Object Marked Transient)
Thiscompliantsolutiondeclaresthe File object transient .Thefilepathisnotserialized
with the rest of the class, and is consequently not exposed to attackers.
Click here to view code image
final class Ser implements Serializable {
transient File f;
public Ser() throws FileNotFoundException {
f = new File("c:\\filepath\\filename");
}
}
Applicability
Deserializing direct handles to system resources can allow the modification of the re-
sources being referred to.
Bibliography
[Long 2012]
ENV01-J. Place all security-sensitive code in a single JAR and sign and seal
it
Previous Page
Next Page
Java Coding Guidelines
Search WWH ::




Custom Search
Home