哪个版本的jackson-databind没有远程执行漏洞? [英] Which version of jackson-databind does not have remote execution vulnerability?

查看：244 发布时间：2021/2/9 20:10:30 jackson

本文介绍了哪个版本的jackson-databind没有远程执行漏洞?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我无法在线找到不具有远程执行漏洞的Spring应用程序使用哪个版本的jackson-databind?感谢您的帮助.

I am unable to find online which version of jackson-databind to use with Spring application that doesn't have remote execution vulnerability? Any help is appreciated.

推荐答案

版本 2.10.0 ，此问题可以通过添加新的方法集来解决:activateDefaultTyping而不是不推荐的方法集enableDefaultTyping.同样，此问题也是发布此版本的原因之一.

Since version 2.10.0 this problem is resolved by adding new set of methods: activateDefaultTyping instead of deprecated set of methods enableDefaultTyping. Also this problem was one of reasons to why this version was released.

2.10的主要目标

回想一下，此次发行版有3个主要目标:

Major Goals for 2.10

Looking back, there were 3 major goals for this minor release:

解决无尽CVE补丁"这一日益严重的问题，与多态"相关的已报告CVE的修复程序流反序列化"问题(在"在Jackson CVE上……") 导致迫使杰克逊升级的安全工具. 2.10现在包括希望可以解决此问题的安全默认键入".

Resolve the growing problem of "endless CVE patches", a stream of fixes for reported CVEs related to "Polymorphic Deserialization" problem (described in "On Jackson CVEs… ") that resulted in security tools forcing Jackson upgrades. 2.10 now includes "Safe Default Typing" that is hoped to resolve this problem.

您可以在本文中找到更多信息: Jackson 2.10功能.

More you can find in this article: Jackson 2.10 features.

示例代码:

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
import com.fasterxml.jackson.databind.json.JsonMapper;
import com.fasterxml.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
import com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator;

import java.util.ArrayList;

public class JsonPathApp {

    public static void main(String[] args) throws Exception {
        PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder()
                .allowIfSubType(MyValue.class)
                .allowIfSubType(ArrayList.class)
                .build();

        ObjectMapper mapper = JsonMapper.builder()
                .enable(SerializationFeature.INDENT_OUTPUT)
                .activateDefaultTyping(ptv, ObjectMapper.DefaultTyping.NON_FINAL).build();
    }
}

这篇关于哪个版本的jackson-databind没有远程执行漏洞?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

哪个版本的jackson-databind没有远程执行漏洞? [英] Which version of jackson-databind does not have remote execution vulnerability?

问题描述

推荐答案

2.10的主要目标

回想一下，此次发行版有3个主要目标:

Major Goals for 2.10

Looking back, there were 3 major goals for this minor release:

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

哪个版本的jackson-databind没有远程执行漏洞? [英] Which version of jackson-databind does not have remote execution vulnerability?

问题描述

推荐答案

2.10的主要目标

回想一下，此次发行版有3个主要目标:

Major Goals for 2.10

Looking back, there were 3 major goals for this minor release:

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

登录关闭