Thanks Chris,
Over the last year I've been working on reimplimenting OIS, I've been able to
retain serial form compatibility, but have made some changes to deserialization
api.
With the reimpl, existing Serializable objects that are stateless or those with
only primitive fields are allowed to
Peter,
I, along with others within Oracle, are interested in this general
area. We are tied up with other issues at the moment, but I hope to
get this within the next couple of weeks.
-Chris.
On 04/02/16 00:40, Peter Firmstone wrote:
In light of recent examples of gadget deserialization attack
