Turns out dependabot seems to want the unforking https://github.com/jenkinsci/jenkins/pull/5171
The comment regarding DiskFileItem in FileParameterValue dates back 13 years. Regarding JEP-200 there might be some rogue plugin that perhaps attempts to serialize this apparently unserializable object. Perhaps we should remove it from the whitelist and test it. Even FileParameterValue uses fileitem transiently so no serialization happens there. On Wednesday, 13 January 2021 at 13:09:01 UTC+8 m...@basilcrow.com wrote: > On Tue, Jan 12, 2021 at 7:33 PM Jesse Glick <jgl...@cloudbees.com> wrote: > > > > sounds like it would break normal usage from Jenkins > > The status quo is Commons FileUpload 1.3.1-jenkins-2 (patch in my > previous message), which _already_ removed serialization from > DiskFileItem. > > Here is the timeline of events upstream: > > Feb 7, 2014: Commons FileUpload 1.3.1 released [1] > > May 26, 2016: Commons FileUpload 1.3.2 released [2], in which > CVE-2016-3092 is fixed (see > src/main/java/org/apache/commons/fileupload/MultipartStream.java) > > July 3, 2020: Commons FileUpload 1.4.0 released [3], in which > DiskFileItem is made no longer Serializable (see > src/main/java/org/apache/commons/fileupload/FileItem.java) > > Meanwhile, in Jenkins-land: > > Sep 27, 2014: Jenkins adopts 1.3.1-jenkins-1 [4] in commit 28d997704f, > in which DiskFileItem is made no longer Serializable, preceding upstream > by over 6 years (see > src/main/java/org/apache/commons/fileupload/FileItem.java) > > Sep 28-29, 2017: Jenkins adopts 1.3.1-jenkins-2 [5] in commit > ea981a029c, in which CVE-2016-3092 is fixed, a year and a half after > upstream (see > src/main/java/org/apache/commons/fileupload/MultipartStream.java) > > Both of the patches from the Jenkins fork are present in upstream > release 1.4, so we should be able to unfork to upstream release 1.4. > > Can you see a flaw in my reasoning? > > [1] > https://archive.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.1-src.tar.gz > [2] > https://archive.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz > [3] > https://archive.apache.org/dist/commons/fileupload/source/commons-fileupload-1.4-src.tar.gz > [4] > https://repo.jenkins-ci.org/releases/commons-fileupload/commons-fileupload/1.3.1-jenkins-1/commons-fileupload-1.3.1-jenkins-1-src.tar.gz > [5] > https://repo.jenkins-ci.org/releases/commons-fileupload/commons-fileupload/1.3.1-jenkins-2/commons-fileupload-1.3.1-jenkins-2-source-release.zip > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/bca3ce17-5342-4829-9110-741a98e48986n%40googlegroups.com.
