You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There's a one-letter typo in DefaultNotSoSerial that populates a blank whitelist when reading any file list, which means that a custom-blacklist-only mode can't exist. This only occurs if the blacklist property is used, rather than depending on the default blacklist.
Pull request coming shortly.
The text was updated successfully, but these errors were encountered:
@drosenbauer Any idea when this pull request will be merged? This issue is preventing us from using notsoserial in our application.
We want to disable the deserialization of Apache Commons FileUpload's "org.apache.commons.fileupload.disk.DiskFileItem" class to prevent the following vulnerability: https://www.tenable.com/security/research/tra-2016-12
There's a one-letter typo in DefaultNotSoSerial that populates a blank whitelist when reading any file list, which means that a custom-blacklist-only mode can't exist. This only occurs if the blacklist property is used, rather than depending on the default blacklist.
Pull request coming shortly.
The text was updated successfully, but these errors were encountered: