Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blacklisting only does not work #31

Open
drosenbauer opened this issue May 17, 2016 · 1 comment
Open

Blacklisting only does not work #31

drosenbauer opened this issue May 17, 2016 · 1 comment

Comments

@drosenbauer
Copy link

There's a one-letter typo in DefaultNotSoSerial that populates a blank whitelist when reading any file list, which means that a custom-blacklist-only mode can't exist. This only occurs if the blacklist property is used, rather than depending on the default blacklist.

Pull request coming shortly.
@drosenbauer drosenbauer mentioned this issue May 17, 2016
Open
@sanjaythaire
Copy link

@drosenbauer Any idea when this pull request will be merged? This issue is preventing us from using notsoserial in our application.

We want to disable the deserialization of Apache Commons FileUpload's "org.apache.commons.fileupload.disk.DiskFileItem" class to prevent the following vulnerability:
https://www.tenable.com/security/research/tra-2016-12

If this issue is not fixed, we are planning to try https://github.com/Contrast-Security-OSS/contrast-rO0. Please let me know, looking forward for your reply...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@drosenbauer @sanjaythaire