-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Carsten,
On 2/19/20 03:59, Carsten Klein wrote: > Hi there, > > had to re-setup my branch... Nevertheless, updated PR is available > now. > > Some last things... > > The pattern for default sessionAttributeValueClassNameFilter must > even be extended to match String arrays as well (roles are stored > that way). In order to keep the pattern smaller, one option is to > allow arrays for all "base types": > > Current pattern: > "java\\.lang\\.(?:Boolean|Integer|Long|Number|String)" > > New pattern (short version): > "(\\[L)?java\\.lang\\.(?:Boolean|Integer|Long|Number|String);?" + > "|org\\.apache\\.catalina\\.realm\\.GenericPrincipal\\$SerializablePri ncipal" > > > > In terms of CVE-2016-0714, an array of any of these types is not > really more insecure, right? Correct. We are mostly worried about an attacker injecting an instance of a class which has some Bad Stuff in its implementation. The poster child for this was the commons-collections functor package which allows String-based configuration of remote-calls[1]. I would say that an array of anything already listed is just as safe as anything already listed. - -chris [1] https://commons.apache.org/proper/commons-collections/security-reports.h tml -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5NSQIACgkQHPApP6U8 pFieZg//byvF7QtTtZ0xNdk9A9/BqMKAN6SXoNucTMEsZ3MVKBD8MQUMf3rreTkH 7sHKmlUI+Pk8KMaZ8ELyZldY8Cja7tXuwnwrzUYIsq0Mwm9t3RIhnElOsvM20bwE e2HUqYZ/SChAcRC1+9AlkuQndMEOGQivHMyhFiKc/AzZNCxgKd6OK6FUNsnZ1i10 pD3+sENlEbXU1XihMlaYCMYs4ua/muhtO91EoKyM7G9Dxs60MwbZLwWz05FG8MWB uIuwexS4PirNDZnHO7W3DEvv95Jbeimw0N6aPHvNj0ndoVpJg9FJOKlzVjk7xfuS hft6GC364HLVac1BY2O5OARQdafVqh3i9Zq8HSgRA68x9Nx2kmxIcF5clshU98se vaQgUfz/zAJSdyBmWmdwATaLT1Orro0vA6dLseiZ9YxRBktzVn522YwPQGzCh6XX S6hSPBhmggAI2ODBa2deJnqVVJVOU5bIOvgIu5tPZUFpAzllai4lZQhNIQoUQdZe YPLApJT6un2C2M0wCT4IabqybFqtsgKwbiacnb98Lt6W5/VnoQ4RtN4jNtwuewRd JUg+l/kr36lsOsyOcNQOdCPichdsUv83zqZeih+tWkYBq649kOdZN+sxGqeGMGWV J9PzUZxYkMI9vX5CM/BMHedeL2LvQ9pt3xYEz0ntLZmxSt4CrfM= =KJ93 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
