Hello Alvaro,

Alvaro wrote:

> Hi,
> I found that using the DynamicProxyConverter can be a security issue that
> can lead to remote code execution.

Can you elaborate a bit?

> I dont know if it is possible to unregister it


> as I can see no
> unregisterConverters method in the XStream class

For an existing XStream instance you can only register other converters with 
same or higher priority that claim to handle the same types.

As alternative you might provide a ConverterLookup as constructor parameter 
that contains already all supported converters and a ConverterRegistry that 
actually does nothing.

Another alternative is to overwrite XStream's setupConverter method.

> but I would like to use
> XStream SpringOXM wrapper for a RESTFul API, so I would like to unregister
> it using the SpringOXM wrapper, is it possible?

Sorry, I am not familiar with SpringOXM at all. Therefore I cannot say how 
you configure it to use either different constructor parameters or an 
instance of a derived XStream type.


To unsubscribe from this list, please visit:


Reply via email to