[ https://issues.apache.org/jira/browse/SHIRO-808?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Demers resolved SHIRO-808. -------------------------------- Resolution: Incomplete > security enhance > ---------------- > > Key: SHIRO-808 > URL: https://issues.apache.org/jira/browse/SHIRO-808 > Project: Shiro > Issue Type: Improvement > Components: RememberMe > Affects Versions: 1.7.0, 1.7.1 > Reporter: k4n5hao > Priority: Minor > > in file: > shiro/lang/src/main/java/org/apache/shiro/lang/io/ClassResolvingObjectInputStream.java > we can find resolveClass funtion > > if shiro block these class blow in resolveClass funtion, it can protect shiro > with Deserialize Vulnerability > org.apache.commons.collections.functors.ChainedTransformer.transform > org.apache.commons.collections.functors.InvokerTransformer > org.apache.commons.collections.functors.InstantiateTransformer > org.apache.commons.collections4.functors.InvokerTransformer > org.apache.commons.collections4.functors.InstantiateTransformer > org.codehaus.groovy.runtime.ConvertedClosure > org.codehaus.groovy.runtime.MethodClosure > org.springframework.beans.factory.ObjectFactory > xalan.internal.xsltc.trax.TemplatesImpl > org.apache.commons.beanutils.BeanComparator > > link:[https://github.com/wh1t3p1g/ysomap/tree/master/core/src/main/java/ysomap/core/payload/java/collections] > > i am not find new discover a security-relevant issue. > but if shiro block these class , it can help shiro block unkowning > Deserialize Vulnerability. > thx -- This message was sent by Atlassian Jira (v8.3.4#803005)