https://bz.apache.org/bugzilla/show_bug.cgi?id=58662
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
If an attacker can add a JAR to that directory then deserialization is likely
to be the least of your worries.
The recent spate of deserialization issues is only of concern if an application
accepts untrusted data and deserializes without validation/sanitization. A
default Tomcat install does not expose any such mechanism. If an application
chooses to accept such input then validation/sanitization is an application
concern.
I'll also note that security concerns should be raised via the security list,
not via a public bug tracker.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
