AlbumenJ commented on PR #12258: URL: https://github.com/apache/dubbo/pull/12258#issuecomment-1541432724
> > Dubbo already use `ContextAutoTypeBeforeHandler` to indicate which classes can be deserialized. SupportAutoType should not be enabled. > > @AlbumenJ But, it **still has bugs**. Same code, using Hessian2 it works, switch to fastjson2 it goes wrong。 > > I think, Dubbo should remove `JSONReader.Feature.IgnoreAutoTypeNotMatch`, instead of `JSONReader.Feature.SupportAutoType`. > > Because Dubbo is based on **interfaces** and is **strongly typed**, fastjson2 will judge whether the types match, and throw an exception if they do not match. For security purpose, we should check type if match. Otherwise, there may some arbitrary serialization issue. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
