我正在尝试通过使用 Apache API ValidatingObjectInputStream 来构建针对 Java 反序列化漏洞的防御。
但它因以下异常而失败,并且不确定这里可能缺少什么:
Object has been serialized
IOException is caught
java.io.StreamCorruptedException: invalid stream header: 74000732
at java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:863)
at java.io.ObjectInputStream.<init>(ObjectInputStream.java:355)
at org.apache.commons.io.serialization.ValidatingObjectInputStream.<init>(ValidatingObjectInputStream.java:59)
at com.apple.ctbdp.controller.Test.deSerialize(Test.java:44)
at com.apple.ctbdp.controller.Test.main(Test.java:28)
测试.java
class Test {
public static void main(String[] args) {
String object = new String("2323232");
String filename = "file.ser";
serialize(object, filename);
deSerialize(filename);
}
private static void deSerialize(String filename) {
String object1 = null;
try {
// Reading the object from a file
FileInputStream fis = new FileInputStream(filename);
ObjectInputStream in = new ObjectInputStream(fis);
final ValidatingObjectInputStream objectInStream = new ValidatingObjectInputStream(fis);
objectInStream.accept(String.class);
// Method for deserialization of object
object1 = (String) objectInStream.readObject();
in.close();
fis.close();
System.out.println("Object has been deserialized ");
System.out.println("Test.deSerialize() " + object1);
}
catch (IOException ex) {
ex.printStackTrace();
System.out.println("IOException is caught");
}
catch (ClassNotFoundException ex) {
System.out.println("ClassNotFoundException is caught");
}
}
private static void serialize(String object, String filename) {
// Serialization
try {
// Saving of object in a file
FileOutputStream file = new FileOutputStream(filename);
ObjectOutputStream out = new ObjectOutputStream(file);
// Method for serialization of object
out.writeObject(object);
out.close();
file.close();
System.out.println("Object has been serialized");
}
catch (IOException ex) {
System.out.println("IOException is caught");
}
}
}
感谢您在这方面的提示/建议。
我没有关闭ValidatingObjectInputStream对象,而是关闭了ObjectInputStream对象。通过此更改,它现在可以正常工作了。
更新代码:
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import org.apache.commons.io.serialization.ValidatingObjectInputStream;
class Test {
public static void main(String[] args) {
String object = new String("2323232");
String filename = "file.ser";
serialize(object, filename);
deSerialize(filename);
}
private static void deSerialize(String filename) {
String object1 = null;
try {
// Reading the object from a file
FileInputStream fis = new FileInputStream(filename);
final ValidatingObjectInputStream objectInStream = new ValidatingObjectInputStream(fis);
objectInStream.accept(String.class);
// Method for deserialization of object
object1 = (String) objectInStream.readObject();
objectInStream.close();
fis.close();
System.out.println("Object has been deserialized ");
System.out.println("Test.deSerialize() " + object1);
}
catch (IOException ex) {
ex.printStackTrace();
System.out.println("IOException is caught");
}
catch (ClassNotFoundException ex) {
System.out.println("ClassNotFoundException is caught");
}
}
private static void serialize(String object, String filename) {
// Serialization
try {
// Saving of object in a file
FileOutputStream file = new FileOutputStream(filename);
ObjectOutputStream out = new ObjectOutputStream(file);
// Method for serialization of object
out.writeObject(object);
out.close();
file.close();
System.out.println("Object has been serialized");
}
catch (IOException ex) {
System.out.println("IOException is caught");
}
}
}
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句