Explicit note on Java deserialization
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2012 the original author or authors.
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -36,6 +36,11 @@ import org.springframework.beans.factory.FactoryBean;
|
||||
* expense of being tied to Java. Nevertheless, it is as easy to set up as
|
||||
* Hessian and Burlap, which is its main advantage compared to RMI.
|
||||
*
|
||||
* <p><b>WARNING: Be aware of vulnerabilities due to unsafe Java deserialization:
|
||||
* Manipulated input streams could lead to unwanted code execution on the server
|
||||
* during the deserialization step. As a consequence, do not expose HTTP invoker
|
||||
* endpoints to untrusted clients but rather just between your own services.</b>
|
||||
*
|
||||
* @author Juergen Hoeller
|
||||
* @since 1.1
|
||||
* @see #setServiceInterface
|
||||
|
||||
@@ -48,6 +48,11 @@ import org.springframework.web.util.NestedServletException;
|
||||
* expense of being tied to Java. Nevertheless, it is as easy to set up as
|
||||
* Hessian and Burlap, which is its main advantage compared to RMI.
|
||||
*
|
||||
* <p><b>WARNING: Be aware of vulnerabilities due to unsafe Java deserialization:
|
||||
* Manipulated input streams could lead to unwanted code execution on the server
|
||||
* during the deserialization step. As a consequence, do not expose HTTP invoker
|
||||
* endpoints to untrusted clients but rather just between your own services.</b>
|
||||
*
|
||||
* @author Juergen Hoeller
|
||||
* @since 1.1
|
||||
* @see HttpInvokerClientInterceptor
|
||||
|
||||
Reference in New Issue
Block a user