Hi,
libxstream-java allows deserializing objects from XML. It can use a list of
allowed types or a list of blocked ones. If using the latter, that list may be
incomplete, causing security issues if an attacker deserializes unsecure objects.
That blocklist has repeatedly found to be incomplete
Hi Emilio,
Am Mittwoch, den 02.06.2021, 12:26 +0200 schrieb Emilio Pozuelo Monfort:
> I think it is time
> we declare the block list unsupported, asking users to switch to the allow
> list.
>
> Thoughts?
I believe it is sensible to switch to the whitelist by default after we have
tested the re