Couldn't they use the same attack vector to set a system property also? I do believe that would be possible
On Sun, Nov 8, 2015 at 1:46 PM Emmanuel Bourg <[email protected]> wrote: > Le 08/11/2015 15:12, Thomas Neidhart a écrit : > > > with the default being: do not de-serialize InvokerTransformer? > > Then I would be ok going that route. > > I like the idea too. I have a question though: do we use a common > property enabling unsafe deserialization for all commons components, or > do we use a property per component or even per class? > > Emmanuel Bourg > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
