[
https://issues.apache.org/jira/browse/LOG4J2-1863?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15952781#comment-15952781
]
ASF subversion and git services commented on LOG4J2-1863:
---------------------------------------------------------
Commit 5dcc19215827db29c993d0305ee2b0d8dd05939d in logging-log4j2's branch
refs/heads/master from [~jvz]
[ https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc192 ]
[LOG4J2-1863] Add class filtering to AbstractSocketServer
This allows a whitelist of class names to be specified to configure
which classes are allowed to be deserialized in both TcpSocketServer and
UdpSocketServer.
> Add support for filtering input in TcpSocketServer and UdpSocketServer
> ----------------------------------------------------------------------
>
> Key: LOG4J2-1863
> URL: https://issues.apache.org/jira/browse/LOG4J2-1863
> Project: Log4j 2
> Issue Type: New Feature
> Components: Receivers
> Affects Versions: 2.8.1
> Reporter: Matt Sicker
> Assignee: Matt Sicker
> Fix For: 2.8.2
>
>
> It is best practice to add a configurable class filter to ObjectInputStream
> usage when input comes from untrusted sources. Add this feature to
> TcpSocketServer and UdpSocketServer along with sensible default settings.
> This feature is unnecessary in JmsServer as that relies on the underlying
> configuration of the JMS server (e.g., ActiveMQ has a similar configuration
> option).
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
