kyakdan commented on PR #25: URL: https://github.com/apache/commons-jxpath/pull/25#issuecomment-1282179185
@bhmohanr-techie With the deny list approach, users do not get any protection whatsoever if they don't change their configurations. This means they stay insecure by default. In both approaches, you have to adjust your default configuration in order to be protected. Since our main goal here is to protect users who use the library, making it necessary to change the configuration by explicitly mentioning which classes are allowed is the best way to guarantee that they will not be vulnerable. Moreover, with a denylist, you can always forget/miss some dangerous classes. It is much harder to know all insecure classes to deny than to know which classes you trust. I think that while backward compatibility is great, protecting users by default takes precedence. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
