metsw24-max opened a new pull request, #16138: URL: https://github.com/apache/lucene/pull/16138
readClass in SerializableObject reads a class name from the stream and resolves it with Class.forName, and readObject invokes that class's InputStream constructor before the instanceof SerializableObject check runs. A crafted shape stream, e.g. through Geo3dBinaryCodec.readShape, can therefore load and construct arbitrary named classes. Loading the class without initializing it and rejecting non-SerializableObject types in readClass moves the check ahead of any instantiation, while registry and custom shapes still deserialize. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
