This is an automated email from the ASF dual-hosted git repository.
albumenj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo-spi-extensions.git
The following commit(s) were added to refs/heads/master by this push:
new 12502f2 Explicitly call out hessian-rpc is unstafe by default (#196)
12502f2 is described below
commit 12502f2a5222d3013c7ba8718fe604a80ab57d03
Author: Arnout Engelen <[email protected]>
AuthorDate: Mon Mar 13 12:55:37 2023 +0100
Explicitly call out hessian-rpc is unstafe by default (#196)
---
dubbo-rpc-extensions/dubbo-rpc-hessian/README.md | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/dubbo-rpc-extensions/dubbo-rpc-hessian/README.md
b/dubbo-rpc-extensions/dubbo-rpc-hessian/README.md
new file mode 100644
index 0000000..e1a6465
--- /dev/null
+++ b/dubbo-rpc-extensions/dubbo-rpc-hessian/README.md
@@ -0,0 +1,14 @@
+# dubbo-rpc-hessian
+
+## Security
+
+Warning: by default, anyone who can provide data to the Hessian deserializer
+can cause it to run arbitrary code.
+
+For that reason, if you enable the dubbo-rpc-hessian component, you must make
+sure your deployment is only reachable by trusted parties, and/or configure
+a serialization whitelist. Unfortunately we don't currently have any
+documentation on how to configure a serialization whitelist.
+
+For more general information on how to deal with deserialization security,
+see [this
page](https://dubbo.apache.org/en/docs/notices/security/#some-suggestions-to-deal-with-the-security-vulnerability-of-deserialization)
