river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michal Kleczek <michal.klec...@xpro.biz>
Subject Re: Towards Internet Jini Services (trust)
Date Tue, 12 Oct 2010 13:53:16 GMT
On Tuesday 12 of October 2010 15:39:52 Michal Kleczek wrote:
> On Tuesday 12 of October 2010 15:07:07 Sim IJskes - QCG wrote:
> 
> > I dont like the idea, that we allow full deserialization before we have
> > had a change to let the IntegrityVerifier have a look at it.
> 
> But suppressing recursive readAnnotation already does that!!!
> Doesn't it?

Even without this we do not run untrusted code.
What can happen is attacker can send u a corrupted stream that contains of 
Modules annotated with Modules - but no untrusted code will have a chance to 
run.
In the end you're going to get StackOverflowError and quit.

Michal

Mime
View raw message