On Mon, Nov 16, 2015 at 4:18 PM, Jason Bailey wrote:
> We've been looking at a javaagent and/or a WeavingHook to do the same
> thing
I've been looking a bit more at https://github.com/kantega/notsoserial
and it looks quite good, and his author Erik is open to
...@apache.org]
Sent: Wednesday, November 11, 2015 2:20 PM
To: Bertrand Delacretaz <bdelacre...@apache.org>
Cc: dev <dev@sling.apache.org>
Subject: Re: SafeObjectInputStream prototype
On Tue, Nov 10, 2015 at 3:09 PM, Bertrand Delacretaz <bdelacre...@apache.org>
wrote:
&
On Tue, Nov 10, 2015 at 4:57 PM, Bertrand Delacretaz
wrote:
> ...maybe we can provide the current mode with whitelist of fixed class
> names, with the option of a set of white + blacklists based on regexp
> class name patterns...
I have now implemented this using a
On Tue, Nov 10, 2015 at 3:09 PM, Bertrand Delacretaz
wrote:
> ...I have created a prototype at SLING-5288 to guard against recently
> reported Java deserialization risks...
In the meantime I also tested https://github.com/kantega/notsoserial
which is very interesting as
On Tue, Nov 10, 2015 at 4:06 PM, Antonio Sanso wrote:
> ...I was wondering if we can have a combination of white/black list approach
> though...
SerialKiller [1] which was also recently created uses regular
expression patterns with both black and white lists (and gets them
Thanks a lot Bertrand!!
This look promising.
I have seen you used a white list approach (that is the best way by far).
I was wondering if we can have a combination of white/black list approach though
regards
antonio
On Nov 10, 2015, at 3:09 PM, Bertrand Delacretaz
Hi,
I have created a prototype at SLING-5288 to guard against recently
reported Java deserialization risks.
Feedback is welcome, and if someone feels like enhancing that with an
ObjectInputStream wrapper that would be useful.
-Bertrand