On 11/08/2015 09:36 PM, James Carman wrote:
> Oh nasty! I must've met, this is quite a fascinating exploit. I'm going to
> do some digging later today when I am at my computer.
I just figured that the xalan code already does have a system property
to prevent translets from being de-serialized:
public final static String DESERIALIZE_TRANSLET =
"jdk.xml.enableTemplatesImplDeserialization";
so a similar solution what we are going to do for collections.
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
