[ISPN-9116] Server marshallers/transcoders don't support whitelist when deserializing - Red Hat Issue Tracker

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Done
Affects Version/s: 9.3.0.Final, 9.2.5.Final
Fix Version/s: 9.4.0.Alpha1, 9.4.0.CR3, 9.3.1.Final
Component/s: Server
Labels:
None

Security Sensitive Issue:

This issue is security relevant
Git Pull Request:
https://github.com/infinispan/infinispan/pull/6112, https://github.com/infinispan/infinispan/pull/6114

Description

The server deserializes binary payloads and json/xml payload without any checks. This happens when:

Compatibility mode is on
Remote listeners with filters
Remote iteration with filters
Remote tasks with parameters
Server is configured with MediaType.APPLICATION_OBJECT
Potentially with JSON and XML contents sent via REST

The remote endpoints affected are REST, Hot Rod and Memcached.

Gliffy Diagrams

Attachments

Issue Links

blocks

ISPN-9336 Error transcoding from JSON/XML to java objects with deployed entities

Closed

Activity

People

Assignee:

Gustavo Fernandes

Reporter:

Gustavo Fernandes

Tester:

Diego Lovison

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

02/May/18 1:56 PM

Updated:

11/Oct/18 8:11 AM

Resolved:

03/Jul/18 9:34 AM