Le 08/09/2016 à 12:42, Jacopo Cappellato a écrit :
On Thu, Sep 8, 2016 at 12:04 PM, Jacques Le Roux <
[email protected]> wrote:
...
If we remove the jar and all the rest, I fear the notsoserial effort will
be definitely thrown away, exposing our "naive" users at the risk of using
RMI or a vulnerable external classes.
Configuring OFBiz for production requires some steps to secure it; "naive"
users are not exposed to the risk because RMI is disabled by default; if a
more expert user will enable RMI then it would also take care of protecting
from deserializazion driven attacks, if warned about them.
How do you expect to warn users about deserialization driven attacks? I mean people can have a such risk w/o using RMI, deserialization driven attacks
are not only about RMI.
BTW, when you say "We could always bundle it in another release soon" do
you expect to freeze and release R16 very soon?
I am sorry but I don't get your question.
Simpler question: when would expect to bundle it?
Jacques
Jacopo
