BoofCV icon indicating copy to clipboard operation
BoofCV copied to clipboard

Published 20 hours ago verified publisher icon lessthanoptimal

Arbitrary code may be executed in readObject.

Open 75ACOL opened this issue 2 years ago • 2 comments

boofcv.io.UtilIO.load public static <T> T load( String fileName ) { @Nullable URL url = UtilIO.ensureURL(fileName); if (url == null) throw new RuntimeException("Unknown path=" + fileName); try (InputStream fileIn = url.openStream()) { ObjectInputStream in = new ObjectInputStream(fileIn); return (T)in.readObject(); } catch (IOException | ClassNotFoundException e) { throw new RuntimeException(e); } } https://snyk.io/blog/serialization-and-deserialization-in-java/

75ACOL avatar Aug 23 '23 06:08 75ACOL

@lessthanoptimal How do you want to proceed with this one? This method really needs to go.

joshuajaharwood avatar Mar 18 '25 09:03 joshuajaharwood

Can you apply for a cve number for me, representing my contribution?

75ACOL avatar Mar 24 '25 01:03 75ACOL