> AIUI this actually has nothing to do with Apache Commons, but about any > case of deserialization of untrusted data: > https://www.owasp.org/index.php/Deserialization_of_untrusted_data > <https://www.google.com/url?q=https%3A%2F%2Fwww.owasp.org%2Findex.php%2FDeserialization_of_untrusted_data&sa=D&sntz=1&usg=AFQjCNF2UekVAIU2y5TGBv6Zd0lnU0ukRw> >
Yes deserialization from untrusted sources is a general issue. It just got hyped recently because apache commons-collections has some classes which allow remote code execution via deserialization and that library is literally used everywhere. As you already mentioned, GWT should have signed that opaque value and then verify it before deserialization. -- J. -- You received this message because you are subscribed to the Google Groups "GWT Contributors" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit-contributors/d1731208-d271-4006-a265-a8621654b81d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
