You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Greg Hogan (JIRA)" <ji...@apache.org> on 2017/04/30 12:02:04 UTC

[jira] [Commented] (FLINK-6421) Unchecked reflection calls in PojoSerializer

    [ https://issues.apache.org/jira/browse/FLINK-6421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15990201#comment-15990201 ] 

Greg Hogan commented on FLINK-6421:
-----------------------------------

Please describe the attack in greater detail. I am only seeing that we are loading a class, not executing arbitrary code, and that the user class itself can do these things. The data stream should be protected by SSL.

> Unchecked reflection calls in PojoSerializer
> --------------------------------------------
>
>                 Key: FLINK-6421
>                 URL: https://issues.apache.org/jira/browse/FLINK-6421
>             Project: Flink
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Priority: Minor
>
> Here is one example:
> {code}
>       String subclassName = source.readUTF();
>       try {
>         actualSubclass = Class.forName(subclassName, true, cl);
> {code}
> subclassName may carry tainted value, allowing an attacker to bypass security checks, obtain unauthorized data, or execute arbitrary code



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)