commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Bourg <>
Subject Re: [collection][security] InvokerTransformer missused in java object serialisation exploits
Date Sun, 08 Nov 2015 18:46:39 GMT
Le 08/11/2015 15:12, Thomas Neidhart a écrit :

> with the default being: do not de-serialize InvokerTransformer?
> Then I would be ok going that route.

I like the idea too. I have a question though: do we use a common
property enabling unsafe deserialization for all commons components, or
do we use a property per component or even per class?

Emmanuel Bourg

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message