diff --git a/spring-context-support/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java b/spring-context-support/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java index 96781177eff8..cd3d91b37922 100644 --- a/spring-context-support/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java +++ b/spring-context-support/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/spring-core/src/main/java/org/springframework/util/SerializationUtils.java b/spring-core/src/main/java/org/springframework/util/SerializationUtils.java index cbe1df705a30..4823c8ea5eb9 100644 --- a/spring-core/src/main/java/org/springframework/util/SerializationUtils.java +++ b/spring-core/src/main/java/org/springframework/util/SerializationUtils.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,9 +26,17 @@ import org.springframework.lang.Nullable; /** - * Static utilities for serialization and deserialization. + * Static utilities for serialization and deserialization using + * Java Object Serialization. + * + *
These utilities should be used with caution. See + * Secure Coding Guidelines for the Java Programming Language + * for details. * * @author Dave Syer + * @author Loïc Ledoyen * @since 3.0.5 */ public abstract class SerializationUtils { @@ -58,13 +66,14 @@ public static byte[] serialize(@Nullable Object object) { * Deserialize the byte array into an object. * @param bytes a serialized object * @return the result of deserializing the bytes - * @deprecated This utility uses Java's reflection, which allows arbitrary code to be - * run and is known for being the source of many Remote Code Execution vulnerabilities. - *
Prefer the use of an external tool (that serializes to JSON, XML or any other format) - * which is regularly checked and updated for not allowing RCE. + * @deprecated This utility uses Java Object Serialization, which allows + * arbitrary code to be run and is known for being the source of many Remote + * Code Execution (RCE) vulnerabilities. + *
Prefer the use of an external tool (that serializes to JSON, XML, or
+ * any other format) which is regularly checked and updated for not allowing RCE.
*/
- @Nullable
@Deprecated
+ @Nullable
public static Object deserialize(@Nullable byte[] bytes) {
if (bytes == null) {
return null;
@@ -81,14 +90,15 @@ public static Object deserialize(@Nullable byte[] bytes) {
}
/**
- * Clone the given object using Java's serialization.
+ * Clone the given object using Java Object Serialization.
* @param object the object to clone
* @param