You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by GitBox <gi...@apache.org> on 2021/07/16 14:21:49 UTC

[GitHub] [shiro] k4n5ha0 opened a new pull request #311: use block list to block dangerous gadget

k4n5ha0 opened a new pull request #311:
URL: https://github.com/apache/shiro/pull/311


   org.apache.commons.collections.functors.ChainedTransformer.transform
   org.apache.commons.collections.functors.InvokerTransformer
   org.apache.commons.collections.functors.InstantiateTransformer
   org.apache.commons.collections4.functors.InvokerTransformer
   org.apache.commons.collections4.functors.InstantiateTransformer
   com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
   org.apache.xalan.xsltc.trax.TemplatesImpl
   java.util.PriorityQueue
   
   these gadget is  dangerous  attack gadget.if we block these necessary class. 
   we can reduce vul.
   thx


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shiro] bdemers commented on pull request #311: use block list to block dangerous gadget

Posted by GitBox <gi...@apache.org>.
bdemers commented on pull request #311:
URL: https://github.com/apache/shiro/pull/311#issuecomment-882587328


   @k4n5ha0, it depends on how you have your application configured, but if you are using a `shiro.ini` file (or similar) it should be something like:
   
   ```ini
   # define your implementation
   myCustomSerializer = com.example.MySerializer
   
   # assign it
   securityManager.rememberMeManager.serializer = $myCustomSerializer
   ```
   
   There are a few other `ini` examples in Shiro's configuration docs: https://shiro.apache.org/configuration.html
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shiro] bdemers commented on pull request #311: use block list to block dangerous gadget

Posted by GitBox <gi...@apache.org>.
bdemers commented on pull request #311:
URL: https://github.com/apache/shiro/pull/311#issuecomment-881507458


   Thanks for reaching out @k4n5ha0!  I want to point out a few things first.
   
   Potential vulnerabilities need to be handled differently than regular software bugs:
   - Apache has a [great guide on the topic](https://www.apache.org/security/), and a [step-by-step guide for committers](https://www.apache.org/security/committers.html).
   - I have a [few posts](https://developer.okta.com/blog/2020/03/13/developers-guide-on-reporting-vulnerabilities) on the topic as well.
   
   Back to the topic:
   - Shiro makes use of this ObjectStream through an encrypted stream, this means that Shiro itself should be the only one serializing the original data (mitigating this risk).
   - This PR implements a block list, which doesn't scale well, there will always be other entries needed to add to a block list.  instead, an allow list would be recommended, especially for uses in security. (e.g. only allow classes `A`, `B`, and `C`, instead of only blocking `Z`, `Y`, and `Z`)
   
   
   All that said, we can continue the thread on the Shiro Security list if you want (or if you see any gaps in my explaination)!
   security@shiro.apache.org
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shiro] k4n5ha0 commented on pull request #311: use block list to block dangerous gadget

Posted by GitBox <gi...@apache.org>.
k4n5ha0 commented on pull request #311:
URL: https://github.com/apache/shiro/pull/311#issuecomment-881981180


   @bdemers  pls show some example , how to override ```org.apache.shiro.io.DefaultSerializer``` i get a idea
   thx :-)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shiro] bdemers closed pull request #311: use block list to block dangerous gadget

Posted by GitBox <gi...@apache.org>.
bdemers closed pull request #311:
URL: https://github.com/apache/shiro/pull/311


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shiro] bdemers commented on pull request #311: use block list to block dangerous gadget

Posted by GitBox <gi...@apache.org>.
bdemers commented on pull request #311:
URL: https://github.com/apache/shiro/pull/311#issuecomment-882587328


   @k4n5ha0, it depends on how you have your application configured, but if you are using a `shiro.ini` file (or similar) it should be something like:
   
   ```ini
   # define your implementation
   myCustomSerializer = com.example.MySerializer
   
   # assign it
   securityManager.rememberMeManager.serializer = $myCustomSerializer
   ```
   
   There are a few other `ini` examples in Shiro's configuration docs: https://shiro.apache.org/configuration.html
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shiro] bdemers commented on pull request #311: use block list to block dangerous gadget

Posted by GitBox <gi...@apache.org>.
bdemers commented on pull request #311:
URL: https://github.com/apache/shiro/pull/311#issuecomment-882587328


   @k4n5ha0, it depends on how you have your application configured, but if you are using a `shiro.ini` file (or similar) it should be something like:
   
   ```ini
   # define your implementation
   myCustomSerializer = com.example.MySerializer
   
   # assign it
   securityManager.rememberMeManager.serializer = $myCustomSerializer
   ```
   
   There are a few other `ini` examples in Shiro's configuration docs: https://shiro.apache.org/configuration.html
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org