[
https://issues.apache.org/jira/browse/AMQNET-835?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Timothy A. Bish moved OPENWIRE-65 to AMQNET-835:
------------------------------------------------
Key: AMQNET-835 (was: OPENWIRE-65)
Project: ActiveMQ .Net (was: ActiveMQ OpenWire)
> Document deserialization policy
> -------------------------------
>
> Key: AMQNET-835
> URL: https://issues.apache.org/jira/browse/AMQNET-835
> Project: ActiveMQ .Net
> Issue Type: Improvement
> Reporter: Arnout Engelen
> Priority: Major
>
> Unrestricted deserialization of untrusted data is dangerous and can lead to
> remote code execution attacks.
> To be able to safely deserialize untrusted data, the Apache NMS ActiveMQ .Net
> client introduced deserialization policy options in version 2.1.0
> ([https://www.mail-archive.com/dev@activemq.apache.org/msg68832.html]).
> It would be good to call out in the documentation that if you want to accept
> untrusted data, you should use these options.
> (I hope this is the correct Jira project to report this to, if not let me
> know and I'll re-file it to the correct one :))
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
