raboof commented on PR #763:
URL: https://github.com/apache/commons-compress/pull/763#issuecomment-4830326821

   > > unbounded deserialization
   > 
   > Much better :) But don't you mean "unbounded decompression" instead of 
"unbounded deserialization"?
   
   I really did mean "unbounded deserialization" (i.e. deserialization allowing 
instantiation of arbitrary classes) - perhaps "unrestricted deserialization" 
would be clearer?
   
   Taking a step back here, to be honest I'm still somewhat on the fence on if 
we should promise the absence of DoS conditions even for small inputs. I added 
that because that's what I understood the consensus to be from the past 
advisories and the discussions on the list, but as I've been getting more 
involved as a volunteer I'm not entirely sure myself that this is something 
we're well-prepared to promise. I'm starting to lean towards only promising 
this for a few well-understood components, like Zip and Tar, and not promise it 
for 'all of them'.
   
   How would you feel about that?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to