Hi, the reference for Apache Commons (in general) and FileUpload (in particular) is the Apache SVN repository, and not Github. Have a look at [1], which is the source code of FileItem for 1.3.2. This release is intended to be completely binary compatible to previous releases. As a consequence, FileItem is still implementing Serializable in that version. We removed the Serializable from the Trunk, which is intended for future releases. Those future releases aren't necessarily binary compatible.
Jochen [1] https://svn.apache.org/viewvc/commons/proper/fileupload/tags/FILEUPLOAD_1_3_2/src/main/java/org/apache/commons/fileupload/FileItem.java?revision=1745636&view=markup On Thu, Jun 23, 2016 at 1:28 PM, Kensuke Matsuzaki <knsk.m...@gmail.com> wrote: > Hi, > > Until you fixed at "DiskFileItem is no longer Serializable", attacker could > delete any file by sending malicious serialized data. > But 1.3.2's release note say nothing about that. Is it intended? > > https://github.com/apache/commons-fileupload/commit/7b201e44962c99cf4019e137aee9ccc0273c3ab1 > -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org