commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jochen Wiedmann <jochen.wiedm...@gmail.com>
Subject Re: DiskFileItem at Apache Commons FileUpload 1.3.2
Date Thu, 23 Jun 2016 18:33:35 GMT
On Thu, Jun 23, 2016 at 4:10 PM, Kensuke Matsuzaki <knsk.mtzk@gmail.com> wrote:
> Hi,
>
> I tried commons-fileupload-1.3.2.jar, and same exploit works.
> I agree with that binary compatible is important, but also `rm /etc/foo` is
> important too.
> Isn't it possible to disable serialization of DiskFileItem by system
> property
> like commons-collections-3.2.2 ?

That's why we removed it for the 1.4 releases. The 1.3 releases are a
different matter. Btw, you are welcome to compile your own version
from the sources, and use that. No need to wait.

Jochen


-- 
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message