On Thu, Jun 23, 2016 at 4:10 PM, Kensuke Matsuzaki <[email protected]> wrote: > Hi, > > I tried commons-fileupload-1.3.2.jar, and same exploit works. > I agree with that binary compatible is important, but also `rm /etc/foo` is > important too. > Isn't it possible to disable serialization of DiskFileItem by system > property > like commons-collections-3.2.2 ?
That's why we removed it for the 1.4 releases. The 1.3 releases are a different matter. Btw, you are welcome to compile your own version from the sources, and use that. No need to wait. Jochen -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
