You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Jochen Wiedmann <jo...@gmail.com> on 2016/06/23 11:38:30 UTC
Re: DiskFileItem at Apache Commons FileUpload 1.3.2
Hi,
the reference for Apache Commons (in general) and FileUpload (in
particular) is the Apache SVN repository, and not Github. Have a look
at [1], which is the source code of FileItem for 1.3.2. This release
is intended to be completely binary compatible to previous releases.
As a consequence, FileItem is still implementing Serializable in that
version. We removed the Serializable from the Trunk, which is intended
for future releases. Those future releases aren't necessarily binary
compatible.
Jochen
[1] https://svn.apache.org/viewvc/commons/proper/fileupload/tags/FILEUPLOAD_1_3_2/src/main/java/org/apache/commons/fileupload/FileItem.java?revision=1745636&view=markup
On Thu, Jun 23, 2016 at 1:28 PM, Kensuke Matsuzaki <kn...@gmail.com> wrote:
> Hi,
>
> Until you fixed at "DiskFileItem is no longer Serializable", attacker could
> delete any file by sending malicious serialized data.
> But 1.3.2's release note say nothing about that. Is it intended?
>
> https://github.com/apache/commons-fileupload/commit/7b201e44962c99cf4019e137aee9ccc0273c3ab1
>
--
The next time you hear: "Don't reinvent the wheel!"
http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: DiskFileItem at Apache Commons FileUpload 1.3.2
Posted by Jochen Wiedmann <jo...@gmail.com>.
On Thu, Jun 23, 2016 at 4:10 PM, Kensuke Matsuzaki <kn...@gmail.com> wrote:
> Hi,
>
> I tried commons-fileupload-1.3.2.jar, and same exploit works.
> I agree with that binary compatible is important, but also `rm /etc/foo` is
> important too.
> Isn't it possible to disable serialization of DiskFileItem by system
> property
> like commons-collections-3.2.2 ?
That's why we removed it for the 1.4 releases. The 1.3 releases are a
different matter. Btw, you are welcome to compile your own version
from the sources, and use that. No need to wait.
Jochen
--
The next time you hear: "Don't reinvent the wheel!"
http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org