On 11/08/2015 09:36 PM, James Carman wrote: > Oh nasty! I must've met, this is quite a fascinating exploit. I'm going to > do some digging later today when I am at my computer.
I just figured that the xalan code already does have a system property to prevent translets from being de-serialized: public final static String DESERIALIZE_TRANSLET = "jdk.xml.enableTemplatesImplDeserialization"; so a similar solution what we are going to do for collections. Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org