vy commented on code in PR #4098: URL: https://github.com/apache/logging-log4j2/pull/4098#discussion_r3159839779
########## src/changelog/.2.x.x/harden_message_deserialization.xml: ########## @@ -0,0 +1,11 @@ +<?xml version="1.0" encoding="UTF-8"?> +<entry xmlns="https://logging.apache.org/xml/ns"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation=" + https://logging.apache.org/xml/ns + https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"; + type="changed"> + <description format="asciidoc"> + Applied `SerializationUtil.assertFiltered()` consistently to every `private void readObject(ObjectInputStream)` across `log4j-api`, `log4j-core`, `log4j-1.2-api`, `log4j-slf4j-impl`, and `log4j-slf4j2-impl`. Defense-in-depth only; wire format is unchanged. Review Comment: ```suggestion type="changed"> <issue id="4098" link="https://github.com/apache/logging-log4j2/pull/4098"/> <description format="asciidoc"> Harden `readObject(ObjectInputStream)` method argument checks in serializable API models ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
