----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/62088/#review184591 -----------------------------------------------------------
Ship it! I am rather disappointed that this required no test changes. It seems unreasonable to require that as part of this small change. How would you feel about adding a chore to backfill test coverage in the near future? It makes me quite uneasy that we don't have coverage for something this important. - Alexander Murmann On Sept. 5, 2017, 5:57 p.m., Bruce Schuchardt wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/62088/ > ----------------------------------------------------------- > > (Updated Sept. 5, 2017, 5:57 p.m.) > > > Review request for geode, Alexander Murmann, Galen O'Sullivan, Hitesh > Khamesra, and Udo Kohlmeyer. > > > Bugs: GEODE-3249 > https://issues.apache.org/jira/browse/GEODE-3249 > > > Repository: geode > > > Description > ------- > > This change leaves the security hole in place but allows you to plug it by > setting the system property > > geode.disallow-internal-messages-without-credentials=true > > Clients must be upgraded to the release containing this change if you set > this system property to true and client/server authentication is enabled. > Otherwise client messages to register PDX types or Instantiators will be > rejected by the servers. > > > Diffs > ----- > > > geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/ServerConnection.java > b243d8ebb8f7fb698a4637c7a787ee2d7216f1f7 > > > Diff: https://reviews.apache.org/r/62088/diff/1/ > > > Testing > ------- > > > Thanks, > > Bruce Schuchardt > >
