You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by "Robert Muir (Jira)" <ji...@apache.org> on 2019/12/16 12:32:00 UTC

[jira] [Created] (SOLR-14093) Ban ObjectInputStream and ObjectOutputStream in forbidden-apis

Robert Muir created SOLR-14093:
----------------------------------

             Summary: Ban ObjectInputStream and ObjectOutputStream in forbidden-apis
                 Key: SOLR-14093
                 URL: https://issues.apache.org/jira/browse/SOLR-14093
             Project: Solr
          Issue Type: Task
      Security Level: Public (Default Security Level. Issues are Public)
          Components: Build
            Reporter: Robert Muir
            Assignee: Robert Muir


suggested build failure message:

{quote}
[forbidden-apis] Forbidden class/interface use: java.io.ObjectInputStream [Java deserialization is unsafe when the data is untrusted. The java developer is powerless: no checks or casts help, exploitation can happen in places such as clinit or finalize!]
{quote}

I will whitelist existing places doing this for now.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org