public class ParanoidObjectDataInputStream
extends com.hazelcast.internal.serialization.impl.ObjectDataInputStream
ObjectDataInputStream
specifically for use during join
checks which applies bounds to certain operations.
What this class overrides and what it doesn't is strongly influenced by what methods the join check implementations
actually call. For example, any of the read*Array
methods could also be used to try and instantiate arrays
of unrealistic size and trigger OutOfMemoryError
s. However, the join checks never call those methods, so in
practice there's no vulnerability there.
Modifier and Type | Field and Description |
---|---|
protected com.hazelcast.version.Version |
version |
Constructor and Description |
---|
ParanoidObjectDataInputStream(InputStream in,
com.hazelcast.internal.serialization.InternalSerializationService serializationService) |
Modifier and Type | Method and Description |
---|---|
String |
readUTF()
Overrides
ObjectDataInputStream.readUTF() and applies a hard upper limit to the number of
chars that can be read, to prevent malicious clients from triggering OutOfMemoryError s |
available, close, getByteOrder, getClassLoader, getSerializationService, mark, markSupported, read, read, read, readBoolean, readBooleanArray, readByte, readByteArray, readChar, readCharArray, readData, readDataAsObject, readDouble, readDoubleArray, readFloat, readFloatArray, readFully, readFully, readInt, readIntArray, readLine, readLong, readLongArray, readObject, readObject, readShort, readShortArray, readUnsignedByte, readUnsignedShort, readUTFArray, reset, skip, skipBytes
public ParanoidObjectDataInputStream(InputStream in, com.hazelcast.internal.serialization.InternalSerializationService serializationService)
public String readUTF() throws IOException
ObjectDataInputStream.readUTF()
and applies a hard upper limit to the number of
chars that can be read, to prevent malicious clients from triggering OutOfMemoryError
sreadUTF
in interface DataInput
readUTF
in class com.hazelcast.internal.serialization.impl.ObjectDataInputStream
null
if the requested length is -1IOException
- if data cannot be read from the streamUTFDataFormatException
- if the string length to read is excessively longCopyright © 2003–2022 Atlassian. All rights reserved.