melloware opened a new pull request #7: BEANUTILS-520: Mitigate CVE-2014-0114 by enabling SuppressPropertiesB… URL: https://github.com/apache/commons-beanutils/pull/7 Fixes CVE-2014-0114: https://nvd.nist.gov/vuln/detail/CVE-2014-0114 This patch by default enables the `SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS`. So you are secure by default. To opt-out and allow access to the "class" property making it work like BeanUtils 1.9.3 or lower simply add this one line of code to remove the feature. ```java final BeanUtilsBean bub = new BeanUtilsBean(); bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); ``` This makes the library more secure by default and but still allows backward compatibility.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
