commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <garydgreg...@gmail.com>
Subject Re: [COLLECTIONS] Bad press on twitter following serialization issue
Date Sun, 08 Nov 2015 18:22:12 GMT
Hi All:

What about agreeing on a plan before we post anything? My proposal would be
to follow up on an idea posted on the dev ML: Use a system property to
enable the risky feature. This would change the default behavior to
disallow the feature. And possibly add a new config option on the
problematic class to control the behavior programatically. If the prog
config would override the sys prop. We can release a 3.x and 4.x version
once we agree on a plan and then blog about it again.

Thoughts?

Gary

On Sun, Nov 8, 2015 at 10:10 AM, Gabriel Lawrence <
gabriel.lawrence@gmail.com> wrote:

> If you guys want to put together a blog post about this, Chris and I would
> be happy to help. We've tried to be pretty clear to people that this isnt a
> problem with the libraries, but something that should be addressed by the
> deserializer either by not deserializing from a trusted source or by
> hacking in their own way to whitelist types allowed to be deserialized.
>
> I think the core message is that object instantiation is code execution,
> don't give untrusted folks the ability to instantiate arbitrary objects or
> you are going to have a bad day. Pulling together gadgets is a painful
> search, but the idea that you can find them all and eliminate them seems
> flawed. There are likely going to be things in your classpath that do stuff
> similar to the set of gadgets Chris found that rely on the apache library
> in tuns of other class libraries as well.
>
> Let us know. Since this broke out on twitter we've both been trying hard to
> get the description of the root of the problem to be changed. But, it seems
> to have stuck for some reason... maybe because having it be a simple fix is
> just more desirable to people :-) Even when it isn't.
>
> gabe
>
> On Sun, Nov 8, 2015 at 1:41 AM, Benedikt Ritter <britter@apache.org>
> wrote:
>
> > Hi,
> >
> > there is a lot of bad talk going on at twitter [1,2,3] and I'm wondering
> > whether we should respond to this via the Apache blog.
> >
> > Thoughts?
> > Benedikt
> >
> > [1] https://twitter.com/JustineTunney/status/662937508980723712
> > [2] https://twitter.com/kennwhite/status/662709833464872960
> > [3] https://twitter.com/jodastephen/status/663253106751180800
> >
> >
> > --
> > http://people.apache.org/~britter/
> > http://www.systemoutprintln.de/
> > http://twitter.com/BenediktRitter
> > http://github.com/britter
> >
>



-- 
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message