Update java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp

More descriptive (and PC) description. Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2026-05-01 11:45:14 +02:00 · 2021-05-04 13:52:47 +02:00
parent c22eeacbfc
commit f28e994121
1 changed files with 2 additions and 2 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp
@@ -16,7 +16,7 @@ In order to disallow the deserialization of arbitrary objects the passed environ
 Ideally this filter only allows the deserialization to <code>java.lang.String</code>.

 The filter can be configured by setting the key <code>jmx.remote.rmi.server.credentials.filter.pattern</code> (CONST variable <code>RMIConnectorServer.CREDENTIALS_FILTER_PATTERN</code>).
-The filter should (ideally) blacklist all classes, and only whitelist java.lang.String for deserialization: (<code> "java.lang.String;!*"</code>).
+The filter should (ideally) only allow java.lang.String and disallow all other classes for deserialization: (<code>"java.lang.String;!*"</code>).

 The key-value pair can be set as following:

@@ -65,4 +65,4 @@ For this reason an initialitation with a <code>null</code> environment is also v
 <li>Oracle release notes fixing the issue: <a href="https://www.oracle.com/java/technologies/javase/8u91-relnotes.html">Rlease Notes</a>.</li>
 <li>Documentation for <a href="https://docs.oracle.com/javase/10/docs/api/javax/management/remote/rmi/RMIConnectorServer.html#CREDENTIALS_FILTER_PATTERN">CREDENTIALS_FILTER_PATTERN</a></li>
 </references>
-</qhelp>
+</qhelp>