search

fyhack / google-gson

Automatically exported from code.google.com/p/google-gson
0 stars 0 forks source link

Permit type data in the serialized JSON #129

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?
GSon gson = new GSon();
MyObject ob = new MyObject();
String text = gson.toJson(ob);
MyObject copy_ob = (MyObject)gson.fromJson(text);

What version of the product are you using? On what operating system?
1.3

Please provide any additional information below.

Original issue reported on code.google.com by new.r...@gmail.com on 19 Jun 2009 at 5:41

GoogleCodeExporter commented 9 years ago 
While this may seem tempting, having the client JSON specify which class to 
instantiate seems to be full of 
security holes to me. Do you have a proposal on how to avoid security issues?

Original comment by inder123 on 23 Sep 2009 at 7:03

GoogleCodeExporter commented 9 years ago 
deferred for consideration in a future release.

Original comment by inder123 on 29 Sep 2009 at 6:13

GoogleCodeExporter commented 9 years ago 
How about allowing new org.mypackage.ClassName in JSON input?  

We would like to use Gson as a lightweight IoC controller (we already are using 
Gson) 
as it fits our use cases better than Guice (file-based configuration rather 
than 
annotation-based dependency injection).  

Security issues can be mitigated by disabling this by default.  A method in 
GsonBuilder 
(setXXX) can activate it.

Original comment by gin...@gmail.com on 21 Feb 2010 at 8:05

GoogleCodeExporter commented 9 years ago

Original comment by inder123 on 1 Nov 2010 at 10:32

GoogleCodeExporter commented 9 years ago

Original comment by inder123 on 3 Nov 2010 at 1:46

GoogleCodeExporter commented 9 years ago

Original comment by inder123 on 3 Nov 2010 at 1:46

GoogleCodeExporter commented 9 years ago

Original comment by limpbizkit on 4 Nov 2010 at 10:44