-
Sub-task
-
Resolution: Unresolved
-
P3
-
9
-
None
It is clear that the finalization attack is an issue for deserialized objects.
I think that a deserialized object should not be “finalizable” until after
a certain point in its construction. I would like to investigate further the
possibility of making the VM aware of the first no-args default constructor,
or j.l.Object, being called by the serialization mechanism, and possibly
treating it differently.
I think that a deserialized object should not be “finalizable” until after
a certain point in its construction. I would like to investigate further the
possibility of making the VM aware of the first no-args default constructor,
or j.l.Object, being called by the serialization mechanism, and possibly
treating it differently.