Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
1.1.7
-
None
-
------------------------------------------------------------
Gradle 2.13
------------------------------------------------------------Build time: 2016-04-25 04:10:10 UTC
Build number: none
Revision: 3b427b1481e46232107303c90be7b05079b05b1cGroovy: 2.4.4
Ant: Apache Ant(TM) version 1.9.6 compiled on June 29 2015
JVM: 1.8.0_92 (Oracle Corporation 25.92-b14)
OS: Mac OS X 10.11.5 x86_64------------------------------------------------------------ Gradle 2.13 ------------------------------------------------------------ Build time: 2016-04-25 04:10:10 UTC Build number: none Revision: 3b427b1481e46232107303c90be7b05079b05b1c Groovy: 2.4.4 Ant: Apache Ant(TM) version 1.9.6 compiled on June 29 2015 JVM: 1.8.0_92 (Oracle Corporation 25.92-b14) OS: Mac OS X 10.11.5 x86_64
Description
I receive the following messages in Lilith while deserializing events sent by ch.qos.logback.access.net.SocketAppender from within my logback-access-sandbox:
- Unauthorized deserialization attempt! org.springframework.web.servlet.FlashMap
- Unauthorized deserialization attempt! org.springframework.util.LinkedMultiValueMap
Those messages are created by my own WhitelistObjectInputStream whenever it sees an unexpected class. This is done for security reasons. More info is included in the source linked above.
The problem is that even if I whitelisted those classes, they aren't necessarily available on the receiving ends classpath. They are a webcontainer implementation detail that leak through the AccessEvent.
The messages show up since I switched my sandbox from manual servlet to spring-boot. I suspect that shouldCopyAttribute in ch.qos.logback.access.spi.AccessEvent is the culprit since it copies everything that is Serializable. Everything else in AccessEvent looks safe.
This should be fixed. I'm just not sure about how to fix it exactly... maybe doing toString() during copy?