commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <>
Subject Re: [COLLECTIONS] Bad press on twitter following serialization issue
Date Sun, 08 Nov 2015 18:22:12 GMT
Hi All:

What about agreeing on a plan before we post anything? My proposal would be
to follow up on an idea posted on the dev ML: Use a system property to
enable the risky feature. This would change the default behavior to
disallow the feature. And possibly add a new config option on the
problematic class to control the behavior programatically. If the prog
config would override the sys prop. We can release a 3.x and 4.x version
once we agree on a plan and then blog about it again.



On Sun, Nov 8, 2015 at 10:10 AM, Gabriel Lawrence <> wrote:

> If you guys want to put together a blog post about this, Chris and I would
> be happy to help. We've tried to be pretty clear to people that this isnt a
> problem with the libraries, but something that should be addressed by the
> deserializer either by not deserializing from a trusted source or by
> hacking in their own way to whitelist types allowed to be deserialized.
> I think the core message is that object instantiation is code execution,
> don't give untrusted folks the ability to instantiate arbitrary objects or
> you are going to have a bad day. Pulling together gadgets is a painful
> search, but the idea that you can find them all and eliminate them seems
> flawed. There are likely going to be things in your classpath that do stuff
> similar to the set of gadgets Chris found that rely on the apache library
> in tuns of other class libraries as well.
> Let us know. Since this broke out on twitter we've both been trying hard to
> get the description of the root of the problem to be changed. But, it seems
> to have stuck for some reason... maybe because having it be a simple fix is
> just more desirable to people :-) Even when it isn't.
> gabe
> On Sun, Nov 8, 2015 at 1:41 AM, Benedikt Ritter <>
> wrote:
> > Hi,
> >
> > there is a lot of bad talk going on at twitter [1,2,3] and I'm wondering
> > whether we should respond to this via the Apache blog.
> >
> > Thoughts?
> > Benedikt
> >
> > [1]
> > [2]
> > [3]
> >
> >
> > --
> >
> >
> >
> >
> >

E-Mail: |
Java Persistence with Hibernate, Second Edition
JUnit in Action, Second Edition <>
Spring Batch in Action <>

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message