QueryServlet.java

smartini Mon, 30 Jan 2023 09:39:50 -0800

Author: smartini
Date: Mon Jan 30 17:39:43 2023
New Revision: 1907118

URL: http://svn.apache.org/viewvc?rev=1907118&view=rev
Log:
update security info in classes potentially exposed to the Java deserialization 
of arbitrary objects vulnerability


Modified:
    
pivot/branches/2.0.x/core/src/org/apache/pivot/serialization/BinarySerializer.java
    
pivot/branches/2.0.x/web-server/src/org/apache/pivot/web/server/QueryServlet.java

Modified: 
pivot/branches/2.0.x/core/src/org/apache/pivot/serialization/BinarySerializer.java
URL: 
http://svn.apache.org/viewvc/pivot/branches/2.0.x/core/src/org/apache/pivot/serialization/BinarySerializer.java?rev=1907118&r1=1907117&r2=1907118&view=diff
==============================================================================
--- 
pivot/branches/2.0.x/core/src/org/apache/pivot/serialization/BinarySerializer.java
 (original)
+++ 
pivot/branches/2.0.x/core/src/org/apache/pivot/serialization/BinarySerializer.java
 Mon Jan 30 17:39:43 2023
@@ -25,7 +25,10 @@ import java.io.OutputStream;
 /**
  * Implementation of the {@link Serializer} interface that uses Java's
  * internal serialization mechanism to read and write values. All values in the
- * object hierarchy are required to implement {@link java.io.Serializable}.
+ * object hierarchy are required to implement {@link 
java.io.Serializable}.<br/>
+ *
+ * Note that for better security, you should only use BinarySerializer in 
QueryServlet
+ * if you're sure the incoming requests will only come from trusted sources.
  */
 public class BinarySerializer implements Serializer<Object> {
     public static final String MIME_TYPE = 
"application/x-java-serialized-object";

Modified: 
pivot/branches/2.0.x/web-server/src/org/apache/pivot/web/server/QueryServlet.java
URL: 
http://svn.apache.org/viewvc/pivot/branches/2.0.x/web-server/src/org/apache/pivot/web/server/QueryServlet.java?rev=1907118&r1=1907117&r2=1907118&view=diff
==============================================================================
--- 
pivot/branches/2.0.x/web-server/src/org/apache/pivot/web/server/QueryServlet.java
 (original)
+++ 
pivot/branches/2.0.x/web-server/src/org/apache/pivot/web/server/QueryServlet.java
 Mon Jan 30 17:39:43 2023
@@ -42,7 +42,10 @@ import org.apache.pivot.web.QueryDiction
 import org.apache.pivot.web.QueryException;
 
 /**
- * Abstract base class for query servlets.
+ * Abstract base class for query servlets.<br/>
+ *
+ * Note that for better security, you should only use BinarySerializer in 
QueryServlet
+ * if you're sure the incoming requests will only come from trusted sources.
  */
 public abstract class QueryServlet extends HttpServlet {
     /**

svn commit: r1907118 - in /pivot/branches/2.0.x: core/src/org/apache/pivot/serialization/BinarySerializer.java web-server/src/org/apache/pivot/web/server/QueryServlet.java

Reply via email to