Author: smartini Date: Mon Jan 30 17:41:34 2023 New Revision: 1907119 URL: http://svn.apache.org/viewvc?rev=1907119&view=rev Log: update security info in classes potentially exposed to the Java deserialization of arbitrary objects vulnerability
Modified: pivot/trunk/core/src/org/apache/pivot/serialization/BinarySerializer.java pivot/trunk/web-server/src/org/apache/pivot/web/server/QueryServlet.java Modified: pivot/trunk/core/src/org/apache/pivot/serialization/BinarySerializer.java URL: http://svn.apache.org/viewvc/pivot/trunk/core/src/org/apache/pivot/serialization/BinarySerializer.java?rev=1907119&r1=1907118&r2=1907119&view=diff ============================================================================== --- pivot/trunk/core/src/org/apache/pivot/serialization/BinarySerializer.java (original) +++ pivot/trunk/core/src/org/apache/pivot/serialization/BinarySerializer.java Mon Jan 30 17:41:34 2023 @@ -27,7 +27,10 @@ import org.apache.pivot.util.Utils; /** * Implementation of the {@link Serializer} interface that uses Java's internal * serialization mechanism to read and write values. All values in the object - * hierarchy are required to implement {@link java.io.Serializable}. + * hierarchy are required to implement {@link java.io.Serializable}.<br/> + * + * Note that for better security, you should only use BinarySerializer in QueryServlet + * if you're sure the incoming requests will only come from trusted sources. */ public class BinarySerializer implements Serializer<Object> { public static final String MIME_TYPE = "application/x-java-serialized-object"; Modified: pivot/trunk/web-server/src/org/apache/pivot/web/server/QueryServlet.java URL: http://svn.apache.org/viewvc/pivot/trunk/web-server/src/org/apache/pivot/web/server/QueryServlet.java?rev=1907119&r1=1907118&r2=1907119&view=diff ============================================================================== --- pivot/trunk/web-server/src/org/apache/pivot/web/server/QueryServlet.java (original) +++ pivot/trunk/web-server/src/org/apache/pivot/web/server/QueryServlet.java Mon Jan 30 17:41:34 2023 @@ -44,7 +44,10 @@ import org.apache.pivot.web.QueryDiction import org.apache.pivot.web.QueryException; /** - * Abstract base class for query servlets. + * Abstract base class for query servlets.<br/> + * + * Note that for better security, you should only use BinarySerializer in QueryServlet + * if you're sure the incoming requests will only come from trusted sources. */ public abstract class QueryServlet extends HttpServlet { /**