You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the library does not offer the ability to filter which objects are allowed to be deserialized from sessions.
This can, potentially, allow an attacker to inject arbitrarily serialized Java objects in the session, which would then get deserialized and potentially lead to remote code execution.
In addition, if a third party ObjectInputFilter is applied over the underlying ObjectInputStream, depending on the filter configuration, it can suppose that certain attributes of the session are rejected.
I created a fork of the problem to show a possible solution to the problem, a WIP, just to get the idea. If you consider it appropriate, I can improve the forked code and submit a pull request.
The text was updated successfully, but these errors were encountered:
Currently the library does not offer the ability to filter which objects are allowed to be deserialized from sessions.
This can, potentially, allow an attacker to inject arbitrarily serialized Java objects in the session, which would then get deserialized and potentially lead to remote code execution.
In addition, if a third party
ObjectInputFilter
is applied over the underlyingObjectInputStream
, depending on the filter configuration, it can suppose that certain attributes of the session are rejected.Please, see this related stackoverflow question and this associated answer.
I created a fork of the problem to show a possible solution to the problem, a WIP, just to get the idea. If you consider it appropriate, I can improve the forked code and submit a pull request.
The text was updated successfully, but these errors were encountered: