[AVRO-3819] [Java] Rationalize the system properties that limit allocation - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.11.3
Component/s: java
Labels:
- pull-request-available

Description

There are currently some system properties that limit datum allocation size:

org.apache.avro.limits.byte.maxLength
org.apache.avro.limits.string.maxLength

These are hidden in two different classes (Utf8 and BinaryDecoder). It would make sense to centralize them in one place to make it clearer how to limit the damage untrusted data could do while deserializing.

Attachments

Issue Links

links to

CVE-2023-39410

GitHub Pull Request #2432

Activity

People

Assignee:: Ryan Skraba

Reporter:: Ryan Skraba

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 31/Jul/23 17:47

Updated:: 15/Nov/23 07:22

Resolved:: 19/Aug/23 06:29

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: