Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-5288

Restrict which classes can be deserialized

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • None
    • None
    • General
    • None

    Description

      To avoid a recently reported Java deserialization vulnerability [1], we should restrict which classes are accepted when deserializing binaries.

      I have created a prototype SafeObjectInputStream at [2], which refuses to operate on classes that are outside a whitelist.

      We probably also need a wrapper for ObjectInputStreams provided by the environment, that looks a bit harder to create, for now we can already discuss this prototype to see if we want to pursue the idea.

      [1] https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread

      [2] https://svn.apache.org/repos/asf/sling/whiteboard/bdelacretaz/safe-object-input-stream

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. IO-487 ValidatingObjectInputStream contribution - restrict which classes can be deserialized

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Task - A task that needs to be done. SLING-5685 Upgrade Commons IO to 2.5

          • Major - Major loss of function.
          • Closed

          Activity

            People

              bdelacretaz Bertrand Delacretaz
              bdelacretaz Bertrand Delacretaz
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: