On 11/08/2015 07:51 PM, James Carman wrote: > Couldn't they use the same attack vector to set a system property also? I > do believe that would be possible
for this you need a way to execute code via a de-serialized class. Right now, the simplest way to do so is via the InvokerTransformer. There are surely other ways to do so, but if the only available way is blocked (i.e. InvokerTransformer can not be deserialized), a remote attacker cannot set a system property via this attack vector. btw. setting a system property can also be restricted by a SecurityManager. I am -1 on a programmatic interface, and for the 4.X branch I propose to remove the serialization support completely. Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
