pjfanning commented on issue #2391: URL: https://github.com/apache/fory/issues/2391#issuecomment-3046422484
So if you set requireClassRegistration(false) and a malicious user knows of a RCE gadget not disallowed via hardcode in Fory, then Fory will happily accept the RCE even if the user tells Fory what class they are expecting by calling deserialize(bytes, class). `deserialize(bytes, class)` doesn't care what value is passed in other than to cast the result. Most serde libs provide stronger guarantees than this. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
