I think a flag to disable the enhanced classes feature isn't worth it. Apps that need that feature will stop working so they won't use that flag. Apps that do not use this feature are not vulnerable unless the attacker can also control the content of the rpc policy file somehow.
I would output a compile error if rpc.enhancedClasses is not empty and/or JPA/JDO annotated classes are detected for RPC serialization. That makes sure everyone is aware of that security issue. Then we would provide a flag to disable that compile error which means people must explicitly confirm that they understand that their app will be attackable through internet if they have the required classes on class path on the server. I think current exploits are all based on apache commons-collections but maybe additional libraries have already been discovered to make that deserialization exploit possible. So I think that issue is important enough to make GWT compiles of possibly vulnerable apps stop working unless the user has set a flag to make it compile again. -- J. -- You received this message because you are subscribed to the Google Groups "GWT Contributors" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit-contributors/7df709d5-9cc9-431f-a596-ab07e23b0f8a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
