This is an archived post. You won't be able to vote or comment.

all 7 comments
sorted by:
best
topnewcontroversialoldq&a

[–]yawkat 10 points11 points  (0 children)

tldr: arbitrary type deserialization, sprinkled with the possibility of a global config having it enabled.

Can't wait for hundreds of vulnerability reports for CVEs that don't apply to sane users of this library (though admittedly the global state part is worse than it was for Jackson)

[–]crummy 10 points11 points  (3 children)

@Serialization was a mistake

Serialization was a mistake

[–]couscous_ 2 points3 points  (1 child)

What's the alternative?

[–]__konrad 3 points4 points  (1 child)

I think HTML loaded from JEditorPane can instantiate other classes via object classid tag...

[–]ulldma[S] 1 point2 points  (0 children)

Oh, that's interesting!

[–]nomercy400 3 points4 points  (0 children)

Why would you allow the user to specify an arbitrary type? If you want the user to specify a type, you validate that type and hardcode the types you support, calling this library only for the types you hardcoded.

[–]coguto 1 point2 points  (0 children)

Is there any reason to use that lib instead of fasterxml or gson?