Monday, November 23, 2015

Re: Java Deserialization Vulnerability


Thanks Lars for the clarification. Looks like a bad plan to fix all broken implementations using ObjectInputStream and better remove it completely in a GWT-RPC environment.

You can use Java serialization just fine as long as you can be sure no one has modified your serialized data and that the data has actually been produced by your app. A digital signature would solve that.

-- J.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment