commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <bdelacre...@apache.org>
Subject Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?
Date Thu, 19 Nov 2015 14:47:46 GMT
On Thu, Nov 19, 2015 at 9:40 AM, Jochen Wiedmann
<jochen.wiedmann@gmail.com> wrote:
> ...but the solution from IO-487 looks to me to be much
> easier to use, in particular, because it shifts the burden on the
> container, or application vendor (where it belongs, IMO), and not on
> the end user running the container, or application....

Absolutely, I think both solutions are useful.

IO-487 is the clean solution when you can modify your source code and
specify what you want to deserialize or not.

Erik's notsoserial agent is a useful (and clever) fix for code that
you can't modify, or as a first step until you can modify and release
your code.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message