commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Bourg <ebo...@apache.org>
Subject Re: [collection][security] InvokerTransformer missused in java object serialisation exploits
Date Sun, 08 Nov 2015 18:46:39 GMT
Le 08/11/2015 15:12, Thomas Neidhart a écrit :

> with the default being: do not de-serialize InvokerTransformer?
> Then I would be ok going that route.

I like the idea too. I have a question though: do we use a common
property enabling unsafe deserialization for all commons components, or
do we use a property per component or even per class?

Emmanuel Bourg


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message