Hi David, David Jorm wrote:
> On 01/19/2014 07:58 AM, Jörg Schaible wrote: [snip] >> Can you have a look at the docs: >> https://fisheye.codehaus.org/changelog/xstream?cs=2214 >> >> It's been a while since I was the last time in England and I am no native >> speaker... >> >> Cheers, >> Jörg >> > > Hi Jörg > > I have read this documentation and I think it provides a thorough and > accurate description of the security issue and the mitigations. I have > edited security.html to clarify some language and grammar. The only > substantial change to the content itself is the addition of the > following statement: > > "The key message for application developers is that deserializing > arbitrary user-supplied content is a dangerous proposition in all cases." > > My edited version is attached. I hope this is helpful. Thanks for doing this! The difference is evident :) I am currently in the process of activating the security mechanism in trunk by default and gain experience with the required changes for older code bases and for not yet working stuff. Cheers, Jörg --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email
