You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@shiro.apache.org by GitBox <gi...@apache.org> on 2021/07/16 14:51:25 UTC

[GitHub] [shiro] bdemers commented on pull request #311: use block list to block dangerous gadget

bdemers commented on pull request #311:
URL: https://github.com/apache/shiro/pull/311#issuecomment-881507458

Thanks for reaching out @k4n5ha0! I want to point out a few things first.

Potential vulnerabilities need to be handled differently than regular software bugs:
- Apache has a [great guide on the topic](https://www.apache.org/security/), and a [step-by-step guide for committers](https://www.apache.org/security/committers.html).
- I have a [few posts](https://developer.okta.com/blog/2020/03/13/developers-guide-on-reporting-vulnerabilities) on the topic as well.

Back to the topic:
- Shiro makes use of this ObjectStream through an encrypted stream, this means that Shiro itself should be the only one serializing the original data (mitigating this risk).
- This PR implements a block list, which doesn't scale well, there will always be other entries needed to add to a block list. instead, an allow list would be recommended, especially for uses in security. (e.g. only allow classes `A`, `B`, and `C`, instead of only blocking `Z`, `Y`, and `Z`)

All that said, we can continue the thread on the Shiro Security list if you want (or if you see any gaps in my explaination)!
security@shiro.apache.org

--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org