Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-808

security enhance

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Incomplete
    • 1.7.0, 1.7.1
    • None
    • RememberMe
    • None

    Description

      in file:

      shiro/lang/src/main/java/org/apache/shiro/lang/io/ClassResolvingObjectInputStream.java

      we can find resolveClass funtion

       

      if shiro block these class blow in resolveClass funtion, it can protect shiro with Deserialize Vulnerability

      org.apache.commons.collections.functors.ChainedTransformer.transform
      org.apache.commons.collections.functors.InvokerTransformer
      org.apache.commons.collections.functors.InstantiateTransformer
      org.apache.commons.collections4.functors.InvokerTransformer
      org.apache.commons.collections4.functors.InstantiateTransformer
      org.codehaus.groovy.runtime.ConvertedClosure
      org.codehaus.groovy.runtime.MethodClosure
      org.springframework.beans.factory.ObjectFactory
      com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
      org.apache.commons.beanutils.BeanComparator

       

      link:https://github.com/wh1t3p1g/ysomap/tree/master/core/src/main/java/ysomap/core/payload/java/collections

       

      i am not find new  discover a security-relevant issue.

      but if shiro block these class , it can help shiro block unkowning Deserialize Vulnerability.

      thx

      Attachments

        Activity

          People

            Unassigned Unassigned
            k4n5hao k4n5hao
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: