Hello Alvaro,
Alvaro wrote:
> Hi,
>
> I found that using the DynamicProxyConverter can be a security issue that
> can lead to remote code execution.
Can you elaborate a bit?
> I dont know if it is possible to unregister it
No.
> as I can see no
> unregisterConverters method in the XStream class
For an existing XStream instance you can only register other converters with
same or higher priority that claim to handle the same types.
As alternative you might provide a ConverterLookup as constructor parameter
that contains already all supported converters and a ConverterRegistry that
actually does nothing.
Another alternative is to overwrite XStream's setupConverter method.
> but I would like to use
> XStream SpringOXM wrapper for a RESTFul API, so I would like to unregister
> it using the SpringOXM wrapper, is it possible?
Sorry, I am not familiar with SpringOXM at all. Therefore I cannot say how
you configure it to use either different constructor parameters or an
instance of a derived XStream type.
Cheers,
Jörg
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
