[gwt-contrib] Re: Java Deserialization vulnerability in GWT-RPC

> AIUI this actually has nothing to do with Apache Commons, but about any > case of deserialization of untrusted data: > https://www.owasp.org/index.php/Deserialization_of_untrusted_data >

[gwt-contrib] Re: Java Deserialization vulnerability in GWT-RPC

On Saturday, November 21, 2015 at 3:36:02 PM UTC+1, Jens wrote: > > I think a flag to disable the enhanced classes feature isn't worth it. > Apps that need that feature will stop working so they won't use that flag. > Apps that do not use this feature are not vulnerable unless the attacker > c

[gwt-contrib] Re: Java Deserialization vulnerability in GWT-RPC

I think a flag to disable the enhanced classes feature isn't worth it. Apps that need that feature will stop working so they won't use that flag. Apps that do not use this feature are not vulnerable unless the attacker can also control the content of the rpc policy file somehow. I would output