Romain Manni-Bucau commented on JOHNZON-146:

Isnt it too dangerous? The java is fully controlled by the user and he can say 
"read type before value" for instance, if we respect json we are open to 
injection and hacks pby.

> Mapper json processing should use the order in the Json, not setters
> --------------------------------------------------------------------
>                 Key: JOHNZON-146
>                 URL: https://issues.apache.org/jira/browse/JOHNZON-146
>             Project: Johnzon
>          Issue Type: Bug
>          Components: JSON-B, Mapper
>    Affects Versions: 1.1.5
>            Reporter: Mark Struberg
>            Assignee: Mark Struberg
>            Priority: Minor
>             Fix For: 1.1.8
> Currently we do a loop over all the getters and try to find the attribute in 
> the JSON.
> But for deduplicateObjects handling one might end up getting a JsonPointer 
> before the original object got processed. 
> This means that we should do it exactly the other way around: loop over the 
> json attributes and then use the setter accordingly.

This message was sent by Atlassian JIRA

Reply via email to