https://bz.apache.org/bugzilla/show_bug.cgi?id=58662
Bug ID: 58662 Summary: blacklist some classes in custom ObjectInputStreams Product: Tomcat 9 Version: unspecified Hardware: PC OS: Mac OS X 10.4 Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: rmannibu...@gmail.com Tomcat (at least 7 to 9) uses custom ObjectInputStream, since the server can't control the fact a user add one of the vulnerable libraries in the same classloader as tomcat (aka common.loader), tomcat should blacklist these classes. This can be done with https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java (adapting the config I guess) and calling check(name) here https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/util/CustomObjectInputStream.java#L74 around classDesc.getName() before loading the class -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org