On Saturday, November 21, 2015 at 3:36:02 PM UTC+1, Jens wrote: > > I think a flag to disable the enhanced classes feature isn't worth it. > Apps that need that feature will stop working so they won't use that flag. > Apps that do not use this feature are not vulnerable unless the attacker > can also control the content of the rpc policy file somehow. > > I would output a compile error if rpc.enhancedClasses is not empty and/or > JPA/JDO annotated classes are detected for RPC serialization. That makes > sure everyone is aware of that security issue. > Then we would provide a flag to disable that compile error which means > people must explicitly confirm that they understand that their app will be > attackable through internet if they have the required classes on class path > on the server. I think current exploits are all based on apache > commons-collections but maybe additional libraries have already been > discovered to make that deserialization exploit possible. >
AIUI this actually has nothing to do with Apache Commons, but about any case of deserialization of untrusted data: https://www.owasp.org/index.php/Deserialization_of_untrusted_data > So I think that issue is important enough to make GWT compiles of possibly > vulnerable apps stop working unless the user has set a flag to make it > compile again. > Yup, that's what I actually meant: turn off by default, add a flag to turn back on. Ideally you'd have one flag at compile-time and one at runtime to be extra sure the offending code is never called. There's a potential for truly fixing it though, but probably not ready in time for GWT 2.8: as java serialization is only used for roundtripping, seen as opaque on the client, the server could "sign" the payload (possibly just a HMAC) and verify the signature before deserializing it. That would require some hooks to configure the signing key, to allow sharing it between servers in a farm and/or surviving server restarts. I'm not going to do that patch though (possibly not even the flag, let's gather some feedback first and see if anyone who actively uses GWT-RPC –I don't– volunteers to do the patch). -- You received this message because you are subscribed to the Google Groups "GWT Contributors" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit-contributors/3e3de167-6dd4-4681-ba81-3fe9b0c07fdb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
