markt-asf commented on pull request #428: URL: https://github.com/apache/tomcat/pull/428#issuecomment-877146000
Security concerns only arise with untrusted apps. Untrusted apps have to run under a SecurityManager else they have access to reflection and can do pretty much whatever they like. Therefore, we don't need to worry about what an app can do via reflection. I'd be happy with a requirement that any attributes passed to the GenericPrincipal constructor should be safe to expose to a potentially untrusted app (e.g. immutable, already a defensive copy, etc). I've no objection to a little defence in depth - such as using `Collections.unmodifiableMap()` but I don't think we need to do too much here. I remain concerned about the potential complexity / fragility of any solution that attempts to provide defensive copies automatically. Any issues in such could are likely to result in security vulnerabilities. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
