I agree, this looks like a good implementation to me. Once this is
merged and some documentation is written, the last remaining step would
be to write an advisory describing this issue and how to consume the
fix. For users upgrading to 1.4.x, the advisory should reference the
corresponding documentation to explain the changes users need to make in
their own code. I would be happy to write a draft advisory if that is
helpful.
Thanks
David
On 01/10/2014 05:56 AM, Joe Walnes wrote:
Hi Jörg
This is an excellent implementation! Very clean, easy to use, flexible
and extensible. I think even Paul will approve of the implementation :)
If anyone else wants to take a look, the code is here:
https://fisheye.codehaus.org/changelog/xstream?cs=2210.
I have one very minor nitpick. In
XStream.addPermission(TypePermission), can you make it throw an
exception instead of failing silently if a permission is added without
a SecurityMapper. This would reduce the chance of a user error causing
permissions to be silently dropped.
Thanks for doing this!
Thanks
-Joe
On Thu, Jan 9, 2014 at 1:08 PM, Jörg Schaible <[email protected]
<mailto:[email protected]>> wrote:
Hi Joe,
Joe Walnes wrote:
> On Tue, Jan 7, 2014 at 5:58 PM, Jörg Schaible
> <[email protected] <mailto:[email protected]>> wrote:
[snip]
>> Since I already proposed an upcoming 1.5.0 to require Java 6
and 1.4.x to
>> stay compatible, the best compromise is to turn whitelisting on
for 1.5.x
>> and port the mechanism back into the 1.4.x branch, without
activating it
>> by default. Since the code base is currently not yet really
different, it
>> should be easy.
>>
>> So anyone who relies on 1.4.x to be a drop-in replacement can
do so and
>> will
>> at least not suffer from the EventHandler (unless he has such
instances
>> in his object graph) and for 1.5.x there might be more changes
anyway.
>>
>> Sounds reasonable?
>
> Sounds excellent! :)
I've committed now a version to trunk that contains the new security
framework. You may have a look (or at least to the diff). It allows
currently anything by default, but that will change after merging the
changes to the branch. I'll have to write some docs, too.
Cheers,
Jörg
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
