Couldn't they use the same attack vector to set a system property also? I do believe that would be possible
On Sun, Nov 8, 2015 at 1:46 PM Emmanuel Bourg <ebo...@apache.org> wrote: > Le 08/11/2015 15:12, Thomas Neidhart a écrit : > > > with the default being: do not de-serialize InvokerTransformer? > > Then I would be ok going that route. > > I like the idea too. I have a question though: do we use a common > property enabling unsafe deserialization for all commons components, or > do we use a property per component or even per class? > > Emmanuel Bourg > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
