Details
-
Task
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
New
Description
suggested build failure message:
[forbidden-apis] Forbidden class/interface use: java.io.ObjectInputStream [Java deserialization is unsafe when the data is untrusted. The java developer is powerless: no checks or casts help, exploitation can happen in places such as clinit or finalize!]
I will whitelist existing places doing this for now.
Attachments
Attachments
Issue Links
- is related to
-
LUCENE-9095 remove java serialization from lucene/replicator
- Open
-
SOLR-14095 Replace Java serialization with Javabin in Overseer operations
- Closed
- relates to
-
SOLR-14117 remove java serialization from AnalyticsShardResponseParser.java
- Open