KalleOlaviNiemitalo commented on PR #2523: URL: https://github.com/apache/avro/pull/2523#issuecomment-1736179560
A similar change was rejected in <https://github.com/apache/avro/pull/1160>. Even if Apache.Avro depends on a lower version of Newtonsoft.Json, applications that use it can add a direct dependency on the latest version. Would the stack overflow be exploited via a malicious schema, or via malicious data? If the latter, then I don't think just upgrading Newtonsoft.Json will suffice, as PreresolvingDatumReader\<T> also works recursively and does not seem to implement any depth limits. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
