tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 58662] New: blacklist some classes in custom ObjectInputStreams
Date Fri, 27 Nov 2015 12:23:04 GMT

            Bug ID: 58662
           Summary: blacklist some classes in custom ObjectInputStreams
           Product: Tomcat 9
           Version: unspecified
          Hardware: PC
                OS: Mac OS X 10.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina

Tomcat (at least 7 to 9) uses custom ObjectInputStream, since the server can't
control the fact a user add one of the vulnerable libraries in the same
classloader as tomcat (aka common.loader), tomcat should blacklist these

This can be done with
(adapting the config I guess) and calling check(name) here
around classDesc.getName() before loading the class

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message