Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.6.7, 1.7.14
-
None
Description
We could use the class https://commons.apache.org/proper/commons-io/javadocs/api-2.5/org/apache/commons/io/serialization/ValidatingObjectInputStream.html to restrict de-serialization to the required classes and throw errors in case of others.