Monday, October 7, 2024

Re: Is GWT RPC secure in 2.11?

There was a security issue that we were made aware of up until 2.10:
https://bishopfox.com/blog/gwt-unpatched-unauthenticated-java-deserialization-vulnerability
https://github.com/gwtproject/gwt/issues/9709
https://github.com/gwtproject/gwt/pull/9879

This was fixed in the 2.10.1 and 2.11.0 releases - 2.11.0 was about to go out so we tacked on another change for it, and 2.10.1's only change was this same fix, backported.

There are other future changes to restore the "enhanced classes" feature, but I haven't seen any serious interest in it, so we might not end up restoring it, but removing it entirely?
https://github.com/gwtproject/gwt/issues/9880
https://github.com/gwtproject/gwt/issues/9881

On Monday, October 7, 2024 at 10:26:53 AM UTC-5 cbruno...@gmail.com wrote:
Love GWT RPC as its makes calling code on the server seamless. I was reading however that it might not be secure (so issue with arbitrary code execution). Im not a security expert Can someone give me the status of RPC and the security issue with sending annotated POJOs?  

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/6d9666d7-e28e-40a8-bb4b-bb8b584f9721n%40googlegroups.com.

No comments:

Post a Comment