kaxil commented on code in PR #51639: URL: https://github.com/apache/airflow/pull/51639#discussion_r2143025266
########## RELEASE_NOTES.rst: ########## @@ -3136,17 +3136,6 @@ https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.ht It is strongly advised to **not** enable the feature until you make sure that only highly trusted UI/API users have "edit connection" permissions. -The ``xcomEntries`` API disables support for the ``deserialize`` flag by default (#32176) -""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -For security reasons, the ``/dags/*/dagRuns/*/taskInstances/*/xcomEntries/*`` -API endpoint now disables the ``deserialize`` option to deserialize arbitrary -XCom values in the webserver. For backward compatibility, server admins may set -the ``[api] enable_xcom_deserialize_support`` config to *True* to enable the -flag and restore backward compatibility. - -However, it is strongly advised to **not** enable the feature, and perform -deserialization at the client side instead. - Review Comment: Yeah we should not since that is for Airflow 2.7+ and those between >=2.7,<3.1 are still affected -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
