You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/11/27 21:18:09 UTC

[Bug 58662] blacklist some classes in custom ObjectInputStreams

https://bz.apache.org/bugzilla/show_bug.cgi?id=58662

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
If an attacker can add a JAR to that directory then deserialization is likely
to be the least of your worries.

The recent spate of deserialization issues is only of concern if an application
accepts untrusted data and deserializes without validation/sanitization. A
default Tomcat install does not expose any such mechanism. If an application
chooses to accept such input then validation/sanitization is an application
concern.

I'll also note that security concerns should be raised via the security list,
not via a public bug tracker.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org