commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Neidhart <>
Subject Re: [collection][security] InvokerTransformer missused in java object serialisation exploits
Date Sun, 08 Nov 2015 20:39:34 GMT
On 11/08/2015 09:36 PM, James Carman wrote:
> Oh nasty! I must've met, this is quite a fascinating exploit. I'm going to
> do some digging later today when I am at my computer.

I just figured that the xalan code already does have a system property
to prevent translets from being de-serialized:

    public final static String DESERIALIZE_TRANSLET =

so a similar solution what we are going to do for collections.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message