You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Brian Demers (Jira)" <ji...@apache.org> on 2021/06/07 17:26:00 UTC

[jira] [Commented] (SHIRO-824) how to create an allow list avoid deserialize vulnerability

    [ https://issues.apache.org/jira/browse/SHIRO-824?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17358749#comment-17358749 ] 

Brian Demers commented on SHIRO-824:
------------------------------------

Hey [~k4n5hao]!

The mailing lists are a better place to ask questions about Shiro: https://shiro.apache.org/mailing-lists.html

 

But to answer your question, you should be able to apply to filter similar to this:

[https://docs.oracle.com/javase/10/core/serialization-filtering1.htm]

 

Or you could create your own {{Serializer}} if that doesn't meet your needs:

https://github.com/apache/shiro/blob/df81077726b407f905ba16a9f57ba731b7736375/lang/src/main/java/org/apache/shiro/lang/io/Serializer.java#L32

> how to create an allow list avoid deserialize vulnerability
> -----------------------------------------------------------
>
>                 Key: SHIRO-824
>                 URL: https://issues.apache.org/jira/browse/SHIRO-824
>             Project: Shiro
>          Issue Type: Question
>          Components: RememberMe
>    Affects Versions: 1.7.1
>            Reporter: k4n5hao
>            Priority: Critical
>
> how to create an allow list (or similar), to avoid deserialize vulnerability like Shiro-550 whith rememberMe? i really check doc and google, icant't find one. thx



--
This message was sent by Atlassian Jira
(v8.3.4#803005)