New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
executePipelined with RedisCallback uses wrong serializer (RedisTemplate.java) [DATAREDIS-500] #1076
Comments
Nebula commented Last year your security team to send a message, they do not think security vulnerabilities: https://jira.spring.io/browse/SPR-13656 AMQP is to confirm the security vulnerability,why? https://pivotal.io/security/cve-2016-2173 JdkSerializationRedisSerializer also need to whitelist. |
argszero commented 174020160421053943 |
Mark Paluch commented argszero Could you provide us with your full name in English? |
Mark Paluch commented Hi Nebula, thanks for reporting the issue. JDK deserialization is always a possibility to exploits as we don't have any control over the data that is serialized/deserialized. This issue requires a bit more thought as the JDK serializer is used by default. Introducing a white-list would break existing code and each application using Spring Data Redis with default settings needs adjustments. If users don't change the serializer, a large number of classes are handled by the serializer. Take Spring Session for example which serializes the whole HTTP Session. Those are classes which are not under the control of Spring Data Redis and some users aren't even aware of the classes affected by serialization |
argszero commented Hi, Mark Paluch why do i need to provide full name in English? Do you mean the full name used to sign Individual Contributor Agreement? I used "argszero true" when sign it. |
Mark Paluch commented That's part of our contributor license requirement. No nicknames and no placeholders allowed. If you don't want to disclose your name then open source contributions might not be the best way to go |
argszero commented Hi, Mark Paluch , My full Name is "Anqing Shao"(Chinese Name), I am sorry for all my mistakes |
Mark Paluch commented No worries, contributing for the first time usually takes a while to get all the things into shape. Each team is different. We all learn by doing things and getting feedback. These are no mistakes. Thanks a lot for the details, going to merge your contribution |
argszero opened DATAREDIS-500 and commented
RedisTemplate.executePipelined
withRedisCallback
uses wrongserializer
whenhashKeySerializer
is different fromhashValueSerializer
.Affects: 1.7.1 (Hopper SR1), 1.8 M1 (Ingalls)
Referenced from: pull request #190
Backported to: 1.7.3 (Hopper SR3), 1.6.5 (Gosling SR5)
The text was updated successfully, but these errors were encountered: