On 18 nov, 10:11, balachandra maddina <[email protected]> wrote:
> Hi There,
>
> While i was looking at a POST request on a sample application i observed
> that the POST request is carrying the following piece of text in the body
>
> java.lang.String/2004016611|N
>
> Here, my question is, is GWT deserialization process is using this
> representation to construct a String object like below?
>
> java.lang.String("N")
>
> If so are there any preventive measures implemented to
> avoid instantiating arbitrary object being constructed to avoid any attacks
> by a hacker?
Yes. Deserialization is based on a white list (see
SerializationPolicy), computed at the time you compile your GWT app (a
*.gwt.rpc file). You can customize this by overriding
RemoteServiceServlet#doGetSerializationPolicy (which by default reads
the *.gwt.rpc file following a naming convention).
Also note that in latests versions of GWT (starting with 2.0 ? maybe
only 2.1, dunno) you can have type names obfuscated.
> Now imagine the attacker
> constructing a FileOutputStream("/etc/passwd") - depending on the user
> the application server is running, this would create a huge security risk.
Even if he could create it, he would still need a mean of reading its
content and have it returned on the wire.
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
