raboof commented on PR #763: URL: https://github.com/apache/commons-compress/pull/763#issuecomment-4830326821
> > unbounded deserialization > > Much better :) But don't you mean "unbounded decompression" instead of "unbounded deserialization"? I really did mean "unbounded deserialization" (i.e. deserialization allowing instantiation of arbitrary classes) - perhaps "unrestricted deserialization" would be clearer? Taking a step back here, to be honest I'm still somewhat on the fence on if we should promise the absence of DoS conditions even for small inputs. I added that because that's what I understood the consensus to be from the past advisories and the discussions on the list, but as I've been getting more involved as a volunteer I'm not entirely sure myself that this is something we're well-prepared to promise. I'm starting to lean towards only promising this for a few well-understood components, like Zip and Tar, and not promise it for 'all of them'. How would you feel about that? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
