chaokunyang commented on code in PR #170: URL: https://github.com/apache/fury-site/pull/170#discussion_r1730376354
########## docs/guide/java_serialization_guide.md: ########## @@ -262,20 +259,18 @@ Fury fury=getFury(); ### Security & Class Registration -`FuryBuilder#requireClassRegistration` can be used to disable class registration, this will allow to deserialize objects -unknown types, -more flexible but **may be insecure if the classes contains malicious code**. +`FuryBuilder#requireClassRegistration` can be used to disable class registration, this will allow to deserialize objects unknown types, more flexible but **may be insecure if the classes contains malicious code**. **Do not disable class registration unless you can ensure your environment is secure**. + Malicious code in `init/equals/hashCode` can be executed when deserializing unknown/untrusted types when this option disabled. Class registration can not only reduce security risks, but also avoid classname serialization cost. You can register class with API `Fury#register`. -Note that class registration order is important, serialization and deserialization peer -should have same registration order. +> Note that class registration order is important, serialization and deserialization peer, should have same registration order. Review Comment: ```suggestion > Note that class registration order is important, serialization and deserialization peer should have same registration order. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
