pjfanning commented on issue #2391: URL: https://github.com/apache/fory/issues/2391#issuecomment-3047201653
@chaokunyang Fory has a bult-in disallow list. This is good but it not a full of every dangerous class. I don't care about serialize but I care about deserialize. deserialize is the attack vector - malicious users can hack Fory to serialize dangerous bytes and send to an app that they will know will try to deserialize the bytes with Fory. They might know about a dangerous class that Fory team does not know about. But if Fory checks the class in the bytes it receives and validates that it matches what the user expects, then things are safer. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
