On 10/12/2010 01:41 PM, Michal Kleczek wrote:
On Tuesday 12 of October 2010 13:33:09 Sim IJskes - QCG wrote:
On 10/12/2010 01:11 PM, Michal Kleczek wrote:
On Tuesday 12 of October 2010 13:08:19 Sim IJskes - QCG wrote:
On 10/12/2010 12:33 PM, Michal Kleczek wrote:
Hmm... I think I would argue that annotation should have the codebase
embedded and only issue a remote call to verify this codebase - not to
retrieve it.
How about we get rid of Module interface and require annotation to be
RmiModule (which is final)?
By re/encoding it as a String. So we can harden the MarshallInputStream
to only accept UTF-8 String with limited length.
Would that be enough just not to allow recursive readAnnotation() ?
That way our stream would be more compact...
It is my perception that you can feed the deserializer anything you
want, recursive or not, as long as you limit yourself to the jre
classes. The 'check' (at this moment) happens at the cast to String.
And by building a babushka in the stream, cause a stackoverflow or
heapoverflow (dependend on the implementation) in this way.
But isn't it something that always can happen if the code of objects you
deserialize has bugs?
It doesn't happen with readUTF(). The first bytes read are the stream
header, (0xac, 0xed, 0, 5), and then the length, then the bytes
composing the string. No parsing of TC constants, and no optional code
paths that can lead to out-of-anything dos attacks. Send it with
writeUTF, read it with a custom function limiting the length of the
string and voila whe have at least made it 1 step more difficult to dos.
Gr. Sim
