Details
-
Task
-
Resolution: Done
-
Major
-
9.4.16.Final, 10.0.0.Final
-
None
Description
Java serialization whitelist should include primitive wrapper classes and arrays types, if only because it's tedious to specify all of them in the configuration.
There's a similar argument for adding java.util.ArrayList to the default whitelist, especially to use as keys, because Object[] keys do not work with OBJECT storage (equals() and hashCode() are wrong). I'm not convinced yet, because applications eventually want to use a custom key class, and POCs can get away with converting to String and concatenating.
Attachments
Issue Links
- incorporates
-
ISPN-10914 ISPN000936: Class 'java.lang.Boolean' blocked by deserialization white list
- Closed