You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by GitBox <gi...@apache.org> on 2021/07/16 14:21:49 UTC
[GitHub] [shiro] k4n5ha0 opened a new pull request #311: use block list to block dangerous gadget
k4n5ha0 opened a new pull request #311:
URL: https://github.com/apache/shiro/pull/311
org.apache.commons.collections.functors.ChainedTransformer.transform
org.apache.commons.collections.functors.InvokerTransformer
org.apache.commons.collections.functors.InstantiateTransformer
org.apache.commons.collections4.functors.InvokerTransformer
org.apache.commons.collections4.functors.InstantiateTransformer
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
org.apache.xalan.xsltc.trax.TemplatesImpl
java.util.PriorityQueue
these gadget is dangerous attack gadget.if we block these necessary class.
we can reduce vul.
thx
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [shiro] bdemers commented on pull request #311: use block list to block dangerous gadget
Posted by GitBox <gi...@apache.org>.
bdemers commented on pull request #311:
URL: https://github.com/apache/shiro/pull/311#issuecomment-882587328
@k4n5ha0, it depends on how you have your application configured, but if you are using a `shiro.ini` file (or similar) it should be something like:
```ini
# define your implementation
myCustomSerializer = com.example.MySerializer
# assign it
securityManager.rememberMeManager.serializer = $myCustomSerializer
```
There are a few other `ini` examples in Shiro's configuration docs: https://shiro.apache.org/configuration.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [shiro] bdemers commented on pull request #311: use block list to block dangerous gadget
Posted by GitBox <gi...@apache.org>.
bdemers commented on pull request #311:
URL: https://github.com/apache/shiro/pull/311#issuecomment-881507458
Thanks for reaching out @k4n5ha0! I want to point out a few things first.
Potential vulnerabilities need to be handled differently than regular software bugs:
- Apache has a [great guide on the topic](https://www.apache.org/security/), and a [step-by-step guide for committers](https://www.apache.org/security/committers.html).
- I have a [few posts](https://developer.okta.com/blog/2020/03/13/developers-guide-on-reporting-vulnerabilities) on the topic as well.
Back to the topic:
- Shiro makes use of this ObjectStream through an encrypted stream, this means that Shiro itself should be the only one serializing the original data (mitigating this risk).
- This PR implements a block list, which doesn't scale well, there will always be other entries needed to add to a block list. instead, an allow list would be recommended, especially for uses in security. (e.g. only allow classes `A`, `B`, and `C`, instead of only blocking `Z`, `Y`, and `Z`)
All that said, we can continue the thread on the Shiro Security list if you want (or if you see any gaps in my explaination)!
security@shiro.apache.org
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [shiro] k4n5ha0 commented on pull request #311: use block list to block dangerous gadget
Posted by GitBox <gi...@apache.org>.
k4n5ha0 commented on pull request #311:
URL: https://github.com/apache/shiro/pull/311#issuecomment-881981180
@bdemers pls show some example , how to override ```org.apache.shiro.io.DefaultSerializer``` i get a idea
thx :-)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [shiro] bdemers closed pull request #311: use block list to block dangerous gadget
Posted by GitBox <gi...@apache.org>.
bdemers closed pull request #311:
URL: https://github.com/apache/shiro/pull/311
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [shiro] bdemers commented on pull request #311: use block list to block dangerous gadget
Posted by GitBox <gi...@apache.org>.
bdemers commented on pull request #311:
URL: https://github.com/apache/shiro/pull/311#issuecomment-882587328
@k4n5ha0, it depends on how you have your application configured, but if you are using a `shiro.ini` file (or similar) it should be something like:
```ini
# define your implementation
myCustomSerializer = com.example.MySerializer
# assign it
securityManager.rememberMeManager.serializer = $myCustomSerializer
```
There are a few other `ini` examples in Shiro's configuration docs: https://shiro.apache.org/configuration.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [shiro] bdemers commented on pull request #311: use block list to block dangerous gadget
Posted by GitBox <gi...@apache.org>.
bdemers commented on pull request #311:
URL: https://github.com/apache/shiro/pull/311#issuecomment-882587328
@k4n5ha0, it depends on how you have your application configured, but if you are using a `shiro.ini` file (or similar) it should be something like:
```ini
# define your implementation
myCustomSerializer = com.example.MySerializer
# assign it
securityManager.rememberMeManager.serializer = $myCustomSerializer
```
There are a few other `ini` examples in Shiro's configuration docs: https://shiro.apache.org/configuration.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org