Google Web Toolkit

Monday, November 23, 2015

Re: Java Deserialization Vulnerability

Thanks Lars for the clarification. Looks like a bad plan to fix all broken implementations using ObjectInputStream and better remove it completely in a GWT-RPC environment.

You can use Java serialization just fine as long as you can be sure no one has modified your serialized data and that the data has actually been produced by your app. A digital signature would solve that.

-- J.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

Re: Java Deserialization Vulnerability

Thanks Lars for the clarification. Looks like a bad plan to fix all broken implementations using ObjectInputStream and better remove it completely in a GWT-RPC environment.

Re: Java Deserialization Vulnerability

Yeah I'd agree with that!

On Mon, Nov 23, 2015 at 8:29 PM, Lars <lars.gemeinhardt@gmail.com> wrote:

@Thomas: Thanks for this information, but I guess the correct property is rpc.enhancedClasses :-)
@Jakob: Keep in mind, that commons-collections is not the only library "under attack" ... groovy and spring shares a similar use case https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads :-( I think reading objects from outside (worst case without autentication) using ObjectInputStream is always a bad idea!

--
You received this message because you are subscribed to a topic in the Google Groups "GWT Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-web-toolkit/j36D9-11JF4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

Re: Java Deserialization Vulnerability

@Thomas: Thanks for this information, but I guess the correct property is rpc.enhancedClasses :-)
@Jakob: Keep in mind, that commons-collections is not the only library "under attack" ... groovy and spring shares a similar use case https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads :-( I think reading objects from outside (worst case without autentication) using ObjectInputStream is always a bad idea!

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

Re: JsInterop Maven fail

Ok, I got the following to work:

(linux/mac specific)

[presumes you have ant, maven, jdk, etc, installed]

cd ~/git
mkdir gwt
cd gwt
git clone tools https://github.com/gwtproject/tools.git
git clone https://github.com/gwtproject/gwt.git gwt
cd gwt
ant clean dist-dev -Dgwt.version=2.8.0-SNAPSHOT

[press enter for all defaults]

./maven/push-gwt.sh

[edit build.gradle]

repositories {
jcenter()
maven {
url
"https://oss.sonatype.org/content/repositories/google-snapshots/"
}
mavenLocal()
}

[notes]

It now pulls all from sonatype, except for jsinteropt which it pulls
from local

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

Re: JsInterop Maven fail

Yes

On 11/23/2015 01:50 PM, Thomas Broyer wrote:

On Monday, November 23, 2015 at 5:57:58 PM UTC+1, Michael Joyner wrote:

ok,

this is not working out

ALL the POM's point to '2.8.0-SNAPSHOT as dependencies. Result: I depend on a module, the module references latest snapshot, latest snapshot references missing jsinterop, compile failure because of dependency failure.

As the POM's are currently written it does not appear possible to "point to a specific version'.

Have you tried something along those lines:

configurations.all*.resolutionStrategy {

force 'com.google.gwt:gwt-user:…'

force 'com.google.gwt:gwt-dev:…'

}

Anyone have a fix yet?

We have a fix for our build (still in review though), but we're currently waiting for Daniel and/or Sonatype to allow us to publish the com.google.jsinterop artifacts.

I just proposed on Gerrit to rollback the change before the next nightly build to fix our snapshots.

On 11/23/2015 10:48 AM, Michael Joyner wrote:

I can't seem to set GWT version to a different version other than snapshot because each module has a different version number based on seconds.

I don't think this would be such an issue if the POM version numbers were truncated to DAY so that all POM version numbers MATCHED.

I've tried setting all each components version# manually, but this is turning into a total fubar for me and my front-end guy.

We can't get anything to compile this morning at all.

-Mike

On 11/23/2015 10:28 AM, EMan wrote:

I can't get it to work either. I have changed gwt-user to various version, but it still wants to get jsinterop snapshot.

Failed to read artifact descriptor for com.google.gwt:gwt-user:jar:2.8.0-20151118.055323-98: Could not find artifact com.google.jsinterop:jsinterop:pom:1.0.0-SNAPSHOT in google-snapshots (https://oss.sonatype.org/content/repositories/google-snapshots/) -

Not sure what combination I need to get this to work. RC1 is a great idea. I don't love working out of snapshot.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

Re: JsInterop Maven fail

2.9

On 11/23/2015 01:44 PM, Jens wrote:

Anyone have a fix yet?

Which Gradle version do you use? Gradle didn't support pinning a specific SNAPSHOT build some time ago. Maybe you should upgrade Gradle.

https://issues.gradle.org/browse/GRADLE-2784

-- J.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.