[FLINK-6421] Unchecked reflection calls in PojoSerializer - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Not A Problem
Affects Version/s: None
Fix Version/s: None
Component/s: API / Type Serialization System
Labels:
None

Description

Here is one example:

      String subclassName = source.readUTF();
      try {
        actualSubclass = Class.forName(subclassName, true, cl);

subclassName may carry tainted value, allowing an attacker to bypass security checks, obtain unauthorized data, or execute arbitrary code

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Ted Yu

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 29/Apr/17 19:32

Updated:: 23/May/17 03:36

Resolved:: 23/May/17 03:36