Created
June 2, 2021 13:20
-
-
Save artem-smotrakov/886638320b0db2b43a7b22cd2499c86f to your computer and use it in GitHub Desktop.
Example of a deserialization filter for an unsafe RMI object
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public class Server { | |
public void bindRemoteObject(Registry registry) throws Exception { | |
ObjectInputFilter filter = info -> { | |
if (info.serialClass().getCanonicalName().startsWith("com.safe.package.")) { | |
return ObjectInputFilter.Status.ALLOWED; | |
} | |
return ObjectInputFilter.Status.REJECTED; | |
}; | |
registry.bind("unsafe", UnicastRemoteObject.exportObject(new RemoteObjectImpl(), 12345, filter)); | |
} | |
} | |
interface RemoteObject extends Remote { | |
void action(Object obj) throws RemoteException; | |
} | |
class RemoteObjectImpl implements RemoteObject { | |
// ... | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment