[ISPN-9116] Server marshallers/transcoders don't support whitelist when deserializing - Red Hat Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Done
Affects Version/s: 9.3.0.Final, 9.2.5.Final
Fix Version/s: 9.4.0.Alpha1, 9.4.0.CR3, 9.3.1.Final
Component/s: Server
Labels:
None

Security Sensitive Issue:

This issue is security relevant
Git Pull Request:
https://github.com/infinispan/infinispan/pull/6112, https://github.com/infinispan/infinispan/pull/6114

Description

The server deserializes binary payloads and json/xml payload without any checks. This happens when:

Compatibility mode is on
Remote listeners with filters
Remote iteration with filters
Remote tasks with parameters
Server is configured with MediaType.APPLICATION_OBJECT
Potentially with JSON and XML contents sent via REST

The remote endpoints affected are REST, Hot Rod and Memcached.

Attachments

Issue Links

blocks

ISPN-9336 Error transcoding from JSON/XML to java objects with deployed entities

Closed

Activity

People

Assignee:: Gustavo Fernandes (Inactive)

Reporter:: Gustavo Fernandes (Inactive)

Tester:: Diego Lovison

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2018/05/02 1:56 PM

Updated:: 2020/09/14 5:34 AM

Resolved:: 2018/07/03 9:34 AM