Hi All: What about agreeing on a plan before we post anything? My proposal would be to follow up on an idea posted on the dev ML: Use a system property to enable the risky feature. This would change the default behavior to disallow the feature. And possibly add a new config option on the problematic class to control the behavior programatically. If the prog config would override the sys prop. We can release a 3.x and 4.x version once we agree on a plan and then blog about it again.
Thoughts? Gary On Sun, Nov 8, 2015 at 10:10 AM, Gabriel Lawrence < gabriel.lawre...@gmail.com> wrote: > If you guys want to put together a blog post about this, Chris and I would > be happy to help. We've tried to be pretty clear to people that this isnt a > problem with the libraries, but something that should be addressed by the > deserializer either by not deserializing from a trusted source or by > hacking in their own way to whitelist types allowed to be deserialized. > > I think the core message is that object instantiation is code execution, > don't give untrusted folks the ability to instantiate arbitrary objects or > you are going to have a bad day. Pulling together gadgets is a painful > search, but the idea that you can find them all and eliminate them seems > flawed. There are likely going to be things in your classpath that do stuff > similar to the set of gadgets Chris found that rely on the apache library > in tuns of other class libraries as well. > > Let us know. Since this broke out on twitter we've both been trying hard to > get the description of the root of the problem to be changed. But, it seems > to have stuck for some reason... maybe because having it be a simple fix is > just more desirable to people :-) Even when it isn't. > > gabe > > On Sun, Nov 8, 2015 at 1:41 AM, Benedikt Ritter <brit...@apache.org> > wrote: > > > Hi, > > > > there is a lot of bad talk going on at twitter [1,2,3] and I'm wondering > > whether we should respond to this via the Apache blog. > > > > Thoughts? > > Benedikt > > > > [1] https://twitter.com/JustineTunney/status/662937508980723712 > > [2] https://twitter.com/kennwhite/status/662709833464872960 > > [3] https://twitter.com/jodastephen/status/663253106751180800 > > > > > > -- > > http://people.apache.org/~britter/ > > http://www.systemoutprintln.de/ > > http://twitter.com/BenediktRitter > > http://github.com/britter > > > -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition <http://www.manning.com/bauer3/> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> Spring Batch in Action <http://www.manning.com/templier/> Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory
