On Thu, Jun 23, 2016 at 4:10 PM, Kensuke Matsuzaki wrote:
> Hi,
>
> I tried commons-fileupload-1.3.2.jar, and same exploit works.
> I agree with that binary compatible is important, but also `rm /etc/foo` is
> important too.
> Isn't it possible to disable serialization of DiskFileItem by system
>
Hi,
the reference for Apache Commons (in general) and FileUpload (in
particular) is the Apache SVN repository, and not Github. Have a look
at [1], which is the source code of FileItem for 1.3.2. This release
is intended to be completely binary compatible to previous releases.
As a consequence, Fil
