bdemers commented on pull request #311: URL: https://github.com/apache/shiro/pull/311#issuecomment-881507458
Thanks for reaching out @k4n5ha0! I want to point out a few things first. Potential vulnerabilities need to be handled differently than regular software bugs: - Apache has a [great guide on the topic](https://www.apache.org/security/), and a [step-by-step guide for committers](https://www.apache.org/security/committers.html). - I have a [few posts](https://developer.okta.com/blog/2020/03/13/developers-guide-on-reporting-vulnerabilities) on the topic as well. Back to the topic: - Shiro makes use of this ObjectStream through an encrypted stream, this means that Shiro itself should be the only one serializing the original data (mitigating this risk). - This PR implements a block list, which doesn't scale well, there will always be other entries needed to add to a block list. instead, an allow list would be recommended, especially for uses in security. (e.g. only allow classes `A`, `B`, and `C`, instead of only blocking `Z`, `Y`, and `Z`) All that said, we can continue the thread on the Shiro Security list if you want (or if you see any gaps in my explaination)! [email protected] -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
