svn commit: r1907119 - in /pivot/trunk: core/src/org/apache/pivot/serialization/BinarySerializer.java web-server/src/org/apache/pivot/web/server/QueryServlet.java

Mon, 30 Jan 2023 09:41:44 -0800 

Author: smartini
Date: Mon Jan 30 17:41:34 2023
New Revision: 1907119

URL: http://svn.apache.org/viewvc?rev=1907119&view=rev
Log:
update security info in classes potentially exposed to the Java deserialization 
of arbitrary objects vulnerability

Modified:
    pivot/trunk/core/src/org/apache/pivot/serialization/BinarySerializer.java
    pivot/trunk/web-server/src/org/apache/pivot/web/server/QueryServlet.java

Modified: 
pivot/trunk/core/src/org/apache/pivot/serialization/BinarySerializer.java
URL: 
http://svn.apache.org/viewvc/pivot/trunk/core/src/org/apache/pivot/serialization/BinarySerializer.java?rev=1907119&r1=1907118&r2=1907119&view=diff
==============================================================================
--- pivot/trunk/core/src/org/apache/pivot/serialization/BinarySerializer.java 
(original)
+++ pivot/trunk/core/src/org/apache/pivot/serialization/BinarySerializer.java 
Mon Jan 30 17:41:34 2023
@@ -27,7 +27,10 @@ import org.apache.pivot.util.Utils;
 /**
  * Implementation of the {@link Serializer} interface that uses Java's internal
  * serialization mechanism to read and write values. All values in the object
- * hierarchy are required to implement {@link java.io.Serializable}.
+ * hierarchy are required to implement {@link java.io.Serializable}.<br/>
+ *
+ * Note that for better security, you should only use BinarySerializer in 
QueryServlet
+ * if you're sure the incoming requests will only come from trusted sources.
  */
 public class BinarySerializer implements Serializer<Object> {
     public static final String MIME_TYPE = 
"application/x-java-serialized-object";

Modified: 
pivot/trunk/web-server/src/org/apache/pivot/web/server/QueryServlet.java
URL: 
http://svn.apache.org/viewvc/pivot/trunk/web-server/src/org/apache/pivot/web/server/QueryServlet.java?rev=1907119&r1=1907118&r2=1907119&view=diff
==============================================================================
--- pivot/trunk/web-server/src/org/apache/pivot/web/server/QueryServlet.java 
(original)
+++ pivot/trunk/web-server/src/org/apache/pivot/web/server/QueryServlet.java 
Mon Jan 30 17:41:34 2023
@@ -44,7 +44,10 @@ import org.apache.pivot.web.QueryDiction
 import org.apache.pivot.web.QueryException;
 
 /**
- * Abstract base class for query servlets.
+ * Abstract base class for query servlets.<br/>
+ *
+ * Note that for better security, you should only use BinarySerializer in 
QueryServlet
+ * if you're sure the incoming requests will only come from trusted sources.
  */
 public abstract class QueryServlet extends HttpServlet {
     /**

Reply via email to