You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@lucene.apache.org by dw...@apache.org on 2019/12/17 12:39:22 UTC

[lucene-solr] 02/02: Merge forbidden APIs rules.

This is an automated email from the ASF dual-hosted git repository.

dweiss pushed a commit to branch gradle-master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git

commit 8906c2ddbe2f22887eb3dcbddd7976d8637bfd40
Author: Dawid Weiss <dw...@apache.org>
AuthorDate: Tue Dec 17 13:39:10 2019 +0100

    Merge forbidden APIs rules.
---
 gradle/validation/forbidden-apis/defaults.all.txt | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gradle/validation/forbidden-apis/defaults.all.txt b/gradle/validation/forbidden-apis/defaults.all.txt
index 0a81d03..1e9a706 100644
--- a/gradle/validation/forbidden-apis/defaults.all.txt
+++ b/gradle/validation/forbidden-apis/defaults.all.txt
@@ -58,3 +58,7 @@ java.lang.Float#<init>(double)
 java.lang.Float#<init>(java.lang.String)
 java.lang.Double#<init>(double)
 java.lang.Double#<init>(java.lang.String)
+
+@defaultMessage Java deserialization is unsafe when the data is untrusted. The java developer is powerless: no checks or casts help, exploitation can happen in places such as clinit or finalize!
+java.io.ObjectInputStream
+java.io.ObjectOutputStream