Any use of deserialization over the network (or from untrusted input sources in general) should use an allowlist of deserializable classes. That's what we did in log4j2's serialized log event receiver code a few years ago, for example: https://github.com/apache/logging-log4j2/commit/5dcc192 (CVE-2017-5646).
On Sat, 7 Nov 2020 at 11:12, Scott Deboy <scott.de...@gmail.com> wrote: > > I assume reverse-connect is still fine (SocketHubAppender/Receiver), > as Chainsaw is being configured to reach a specific (assumed trusted) > endpoint, yes? > > > > On 11/6/20, Scott Deboy <scott.de...@gmail.com> wrote: > > Holy cow. February? > > > > I have zero problem with us nuking the object serialization receiver > > support. I think the vfs receiver is the way to go, still works great. > > > > I can remove the code in Chainsaw master. > > > > Hope all are well, good to hear from you! > > > > Scott > > > > On Fri, Nov 6, 2020, 7:53 PM Ralph Goers <ralph.go...@dslextreme.com> > > wrote: > > > >> Great to hear from you again! I don’t know if you saw it but there is a > >> Chainsaw related email on Feb 12 of this year in the private list that > >> you > >> should take a look at if you are planning on doing some work on Chainsaw. > >> > >> Ralph > >> > >> > On Nov 6, 2020, at 5:57 PM, Scott Deboy <scott.de...@gmail.com> wrote: > >> > > >> > Hey all, > >> > > >> > Long time. > >> > > >> > I decided to work through the pom ugliness and a couple of swing > >> > degradation issues in Chainsaw. > >> > > >> > I found an ASL2 Mac dmg creation maven plugin, and it works well on my > >> > Mac, if anyone cares to try it out please do. > >> > > >> > Pushing changes to master shortly. > >> > > >> > >> > >> > >
