sanjaythaire
commented
8 years ago @drosenbauer Any idea when this pull request will be merged? This issue is preventing us from using notsoserial in our application.
We want to disable the deserialization of Apache Commons FileUpload's "org.apache.commons.fileupload.disk.DiskFileItem" class to prevent the following vulnerability: https://www.tenable.com/security/research/tra-2016-12
If this issue is not fixed, we are planning to try https://github.com/Contrast-Security-OSS/contrast-rO0. Please let me know, looking forward for your reply...
There's a one-letter typo in DefaultNotSoSerial that populates a blank whitelist when reading any file list, which means that a custom-blacklist-only mode can't exist. This only occurs if the blacklist property is used, rather than depending on the default blacklist.
Pull request coming shortly.