cshannon commented on PR #4924: URL: https://github.com/apache/activemq-artemis/pull/4924#issuecomment-2100376697
@gtully - You are right that it may not help much in this case since it's server side config and if you have access to the file system to modify jars on the classpath or update the config you have already it's likely too late. This is different than the OpenWire CVE where a client could send in the malicious command so they did not need access. I figured it was still worth bringing it up for discussion as I still think it's a good idea to play it safer and make it a bit more strict. There are also 2 other nice things about adding a new interface and requiring a type besides security reasons that I think make it worthwhile. 1. This makes validation a bit easier as requiring a specific type is a quick way to make sure someone didn't screw up the configuration and that the class used was intended. 2. If desired, it allows requiring the implementations provide certain behavior by adding method signatures to the interface. This may not be required in this case but it's nice to have that option. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
