Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable -and in many cases allows an attacker to execute arbitrary code. Even before a +and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, -and finalizers. Automatic deserialization of fields means that an attacker may +and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.
-There are many different serialization frameworks. This query currently +There are many different serialization frameworks. This query currently supports Pickle, Marshal and Yaml.
@@ -28,7 +28,7 @@ user-controlled type resolution.
-Avoid deserialization of untrusted data if at all possible. If the
+Avoid deserialization of untrusted data if at all possible. If the
architecture permits it then use other formats instead of serialized objects,
for example JSON.