Hi Emilio,
Am Mittwoch, den 02.06.2021, 12:26 +0200 schrieb Emilio Pozuelo Monfort:
> I think it is time
> we declare the block list unsupported, asking users to switch to the allow
> list.
>
> Thoughts?
I believe it is sensible to switch to the whitelist by default after we have
tested the re
Hi,
libxstream-java allows deserializing objects from XML. It can use a list of
allowed types or a list of blocked ones. If using the latter, that list may be
incomplete, causing security issues if an attacker deserializes unsecure objects.
That blocklist has repeatedly found to be incomplete
