-
Type:
Sub-task
-
Resolution: Unresolved
-
Priority:
P3
-
Affects Version/s: 9
-
Component/s: core-libs
-
None
It is clear that the finalization attack is an issue for deserialized objects.
I think that a deserialized object should not be “finalizable” until after
a certain point in its construction. I would like to investigate further the
possibility of making the VM aware of the first no-args default constructor,
or j.l.Object, being called by the serialization mechanism, and possibly
treating it differently.
I think that a deserialized object should not be “finalizable” until after
a certain point in its construction. I would like to investigate further the
possibility of making the VM aware of the first no-args default constructor,
or j.l.Object, being called by the serialization mechanism, and possibly
treating it differently.