代码之家  ›  专栏  ›  技术社区  ›  Omkar Shetkar

ValidatingObjectInputStream引发EOF异常

deserialization serialization java
  •  0
  • Omkar Shetkar  · 技术社区  · 6 年前

    我正试图通过使用ApacheApi ValidatingObjectInputStream构建针对Java反序列化漏洞的防御。

    但它失败了,有以下例外,不确定这里可能缺少什么: 

    Object has been serialized
IOException is caught
java.io.StreamCorruptedException: invalid stream header: 74000732
    at java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:863)
    at java.io.ObjectInputStream.<init>(ObjectInputStream.java:355)
    at org.apache.commons.io.serialization.ValidatingObjectInputStream.<init>(ValidatingObjectInputStream.java:59)
    at com.apple.ctbdp.controller.Test.deSerialize(Test.java:44)
    at com.apple.ctbdp.controller.Test.main(Test.java:28)

    测试.java 

    class Test {
    public static void main(String[] args) {

        String object = new String("2323232");


        String filename = "file.ser";

        serialize(object, filename);

        deSerialize(filename);

    }

    private static void deSerialize(String filename) {
        String object1 = null;


        try {
            // Reading the object from a file
            FileInputStream fis = new FileInputStream(filename);

            ObjectInputStream in = new ObjectInputStream(fis);

            final ValidatingObjectInputStream objectInStream = new ValidatingObjectInputStream(fis);
            objectInStream.accept(String.class);


            // Method for deserialization of object
            object1 = (String) objectInStream.readObject();



            in.close();
            fis.close();

            System.out.println("Object has been deserialized ");
            System.out.println("Test.deSerialize() " + object1);
        }

        catch (IOException ex) {
            ex.printStackTrace();
            System.out.println("IOException is caught");
        }

        catch (ClassNotFoundException ex) {
            System.out.println("ClassNotFoundException is caught");
        }
    }

    private static void serialize(String object, String filename) {
        // Serialization
        try {
            // Saving of object in a file
            FileOutputStream file = new FileOutputStream(filename);
            ObjectOutputStream out = new ObjectOutputStream(file);

            // Method for serialization of object
            out.writeObject(object);

            out.close();
            file.close();

            System.out.println("Object has been serialized");

        }

        catch (IOException ex) {
            System.out.println("IOException is caught");
        }
    }
}

    1 回复  |  直到 6 年前
        1
  •  0
  •   Shawn J. Molloy    5 年前

    我没有关窗户 ValidatingObjectInputStream 对象,而是关闭 ObjectInputStream 对象。有了这个改变,它现在开始工作了。 

    import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;

import org.apache.commons.io.serialization.ValidatingObjectInputStream;

class Test {
    public static void main(String[] args) {

        String object = new String("2323232");


        String filename = "file.ser";

        serialize(object, filename);

        deSerialize(filename);

    }

    private static void deSerialize(String filename) {
        String object1 = null;


        try {
            // Reading the object from a file
            FileInputStream fis = new FileInputStream(filename);

            final ValidatingObjectInputStream objectInStream = new ValidatingObjectInputStream(fis);
            objectInStream.accept(String.class);

            // Method for deserialization of object
            object1 = (String) objectInStream.readObject();

            objectInStream.close();
            fis.close();

            System.out.println("Object has been deserialized ");
            System.out.println("Test.deSerialize() " + object1);
        }

        catch (IOException ex) {
            ex.printStackTrace();
            System.out.println("IOException is caught");
        }

        catch (ClassNotFoundException ex) {
            System.out.println("ClassNotFoundException is caught");
        }
    }

    private static void serialize(String object, String filename) {
        // Serialization
        try {
            // Saving of object in a file
            FileOutputStream file = new FileOutputStream(filename);
            ObjectOutputStream out = new ObjectOutputStream(file);

            // Method for serialization of object
            out.writeObject(object);

            out.close();
            file.close();

            System.out.println("Object has been serialized");

        }

        catch (IOException ex) {
            System.out.println("IOException is caught");
        }
    }
}
    推荐文章
    Devashish Dixit  ·  如何在二进制编码文件中的不同记录之间添加分隔符?
    6 年前
    Zbigniew Malinowski  ·  如何序列化/反序列化Kotlin密封类?
    6 年前
    Vinay S Jain  ·  在客户端使用额外变量进行序列化和反序列化,但版本id相同
    6 年前
    Daniel Wosch  ·  确定基于XML文件的类型以指定相应的处理程序
    7 年前
    Emirhan Özsoy  ·  C#序列化-找不到程序集
    7 年前
    Francisco Hanna Mackay  ·  从AngularJS中的查询字符串反序列化数组
    7 年前
    Maciej Treder  ·  如何遍历/迭代JsonNode以找到特定节点的父节点
    7 年前
    Valsov  ·  JsonConvert。反序列化对象不考虑属性名称[重复]
    7 年前
    Tobias Hermann  ·  如何使用Serde(反)序列化大于32个元素的数组,例如[u8;128]?
    7 年前
    sword1st  ·  Unity JsonUtility无法访问嵌套变量[重复]
    7 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号