Even if class isn't
serializeable, it may still be deserializeable. An adversary can create a
sequence of bytes that happens to deserialize to an instance of class. This is
dangerous, since do not have control over what state the deserialized object is
in. We can think of deserialization as another kind of public constructor for our
object; unfortunately it's a kind of constructor that is difficult for us to
control.
We can prevent this
kind of attack by making it impossible to deserialize a byte stream into an
instance of our class. We can do this by throwing IOException from readObject
method.
private final void readObject(ObjectInputStream
in) throws java.io.IOException {
throw new java.io.IOException("Class cannot be deserialized");
}
No comments:
Post a Comment