summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java3
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java2
-rw-r--r--eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/utils/EaafSerializationUtilsTest.java3
3 files changed, 6 insertions, 2 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java
index 1924e165..ebeeddb4 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java
@@ -54,7 +54,8 @@ public class EaafObjectInputStream extends ObjectInputStream {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
} else if (objectDeep > 0
- && !(isValidClassType(clazz) || Object.class.getName().equals(desc.getName()))) {
+ && !(isValidClassType(clazz) || Object.class.getName().equals(desc.getName())
+ || Object[].class.getName().equals(desc.getName()))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
} else {
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java
index efb4c9be..49b992f6 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java
@@ -84,7 +84,7 @@ public class EaafSerializationUtils {
* allow-list.<br>
* <b>Hint:</b> Do NOT set {@link Object} as allowed class, because any class is
* an super-type of {@link Object}. This method implementation allows
- * {@link Object} as explicit type with strict check-mode.
+ * {@link Object} and Object[] as explicit type with strict check-mode.
* </p>
*
* @param bytes a serialized object
diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/utils/EaafSerializationUtilsTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/utils/EaafSerializationUtilsTest.java
index 98747b41..3535b217 100644
--- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/utils/EaafSerializationUtilsTest.java
+++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/utils/EaafSerializationUtilsTest.java
@@ -112,6 +112,9 @@ public class EaafSerializationUtilsTest {
assertThrows(IllegalArgumentException.class, () -> EaafSerializationUtils.typeSpecificDeserialize(
object, Sets.newHashSet(DummyClassA.class, DummyClassB.class), DummyClassC.class));
+ assertThrows(IllegalArgumentException.class, () -> EaafSerializationUtils.typeSpecificDeserialize(
+ object, Sets.newHashSet(DummyClassA.class, DummyClassB.class), DummyClassC.class));
+
assertNotNull(EaafSerializationUtils.typeSpecificDeserialize(
object, Sets.newHashSet(DummyClassA.class, DummyClassB.class,
Throwable.class, StackTraceElement[].class,