Due to influx of CVEs, all related to default typing, "serialization gadgets" (there were 2 earlier CVEs for XML settings, external reference resolution; but everything else falls into this category), I have thought a bit about best way to improve modularity of protections. I filed this:
https://github.com/FasterXML/jackson3-dev/issues/21 for one idea for Jackson 3.0, which I believe should allow fully modular approach covering default typing as well as per-property `@JsonTypeInfo` with (too) general base type (java.lang.Object). I don't think I'll have time to develop this immediately, but approach itself is relatively simple and I think it mostly comes down to quite a bit of plumbing to carry handler around. On plus side I think this addition would have usability well beyond security concerns: it could help with cases of polymorphic handling where exact type needs to be changed (for example, JDK has some types that can not be deserialized back -- but there is a logical alternative that would work). Or, when working with legacy systems, types that have issues. -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
