[jira] [Created] (SHIRO-808) security enhance

k4n5hao (Jira) Sat, 02 Jan 2021 04:36:35 -0800

k4n5hao created SHIRO-808:
-----------------------------

             Summary: security enhance
                 Key: SHIRO-808
                 URL: https://issues.apache.org/jira/browse/SHIRO-808
             Project: Shiro
          Issue Type: Improvement
          Components: RememberMe
    Affects Versions: 1.7.0
            Reporter: k4n5hao



in file:

shiro/lang/src/main/java/org/apache/shiro/lang/io/ClassResolvingObjectInputStream.java

we can find resolveClass funtion


 

if shiro block these class blow, it can protect shiro with Deserialize 
Vulnerability


 org.apache.commons.collections.functors.ChainedTransformer.transform
 org.apache.commons.collections.functors.InvokerTransformer
 org.apache.commons.collections.functors.InstantiateTransformer
 org.apache.commons.collections4.functors.InvokerTransformer
 org.apache.commons.collections4.functors.InstantiateTransformer
 org.codehaus.groovy.runtime.ConvertedClosure
 org.codehaus.groovy.runtime.MethodClosure
 org.springframework.beans.factory.ObjectFactory
 xalan.internal.xsltc.trax.TemplatesImpl

 

thx



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (SHIRO-808) security enhance

Reply via email to