uschindler commented on PR #15237: URL: https://github.com/apache/lucene/pull/15237#issuecomment-3341896526
> LGTM. Which issue does the de-serialization filtering come from? Why was it a problem? Sorry, I wasn't paying attention. See security list :-) In general this is an improvement to not allow deserialization anywhere (in addition to forbiddenapis). This will also disallow it in external code. This makes sure that we only use Java's deserialization if it is properly guarded (with class whitelists and other filtering). Unfortunately Gradle is not doing this.SOm ebody should open a security issue there. If somebody intercepts the internal gradle runner communication it can inject bad data leading to RCE or similar. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
