Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
Unrestricted deserialization of untrusted data is dangerous and can lead to remote code execution attacks.
To be able to safely deserialize untrusted data, the Apache NMS ActiveMQ .Net client introduced deserialization policy options in version 2.1.0 (https://www.mail-archive.com/dev@activemq.apache.org/msg68832.html).
It would be good to call out in the documentation that if you want to accept untrusted data, you should use these options.
(I hope this is the correct Jira project to report this to, if not let me know and I'll re-file it to the correct one )