[
https://issues.apache.org/jira/browse/HADOOP-12579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15150073#comment-15150073
]
Kai Zheng commented on HADOOP-12579:
------------------------------------
I'm migrating the RPC tests that bases on the WriteableRPCEngine to base them
on the protocol buffer one. There are quite a few of tests to do. I have get
{{TestRPC}} done and the resultant patch looks rather large (100k+). Other
tests like {{TestSaslRPC}}, {{TestRPCCompatibility}} and etc. are under the
way. Will break this down and file separate issues to submit the test work
first. When all the still valuable tests are rebased on the protocol buffer
engine, then it will be simply easy to get rid of the obsolete engine.
> Deprecate and remove WriteableRPCEngine
> ---------------------------------------
>
> Key: HADOOP-12579
> URL: https://issues.apache.org/jira/browse/HADOOP-12579
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Haohui Mai
> Attachments: HADOOP-12579-v1.patch
>
>
> The {{WriteableRPCEninge}} depends on Java's serialization mechanisms for RPC
> requests. Without proper checks, it has be shown that it can lead to security
> vulnerabilities such as remote code execution (e.g., COLLECTIONS-580,
> HADOOP-12577).
> The current implementation has migrated from {{WriteableRPCEngine}} to
> {{ProtobufRPCEngine}} now. This jira proposes to deprecate
> {{WriteableRPCEngine}} in branch-2 and to remove it in trunk.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
