IRC log for #dataverse, 2019-02-20

Connect via chat.dataverse.org to discuss Dataverse (dataverse.org, an open source web application for sharing, citing, analyzing, and preserving research data) with users and developers.

← Previous day | Channels | #dataverse index | Today | Next day → | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time	S	Nick	Message
03:11			jri joined #dataverse
06:11			jri joined #dataverse
07:47			jri joined #dataverse
13:53			MrK joined #dataverse
14:20			donsizemore joined #dataverse
15:06			donsizemore joined #dataverse
15:31			pameyer joined #dataverse
15:45		donsizemore	@pameyer beep bop
15:47		pameyer	@donsizemore - good morning
15:50		donsizemore	curious to hear your thoughts on https://commons.apache.org/proper/commons-fileupload/security-reports.html
15:51		pameyer	I'll take a look
15:51		donsizemore	" In practice, however, an attempt to deserialize an instance of DiskFileItem will trigger an Exception. In the unlikely case, that your application depends on the deserialization of DiskFileItems, you can revert to the previous behaviour by setting the system property "org.apache.commons.fileupload.​disk.DiskFileItem.serializable" to "true"."
15:52		donsizemore	I'm trying to decide whether to open an issue to get it on IQSS' radar (or maybe send to security@)
15:54		pameyer	it very well might be - probably would make more sense to security@ rather than github
15:54		pameyer	still thinking things through on it...
15:58		pameyer	I think it's worth sending to security@.  I think the key is serialization/deserialization, and my understanding is that data files / logos / other arbritrary files get treated as byte streams rather than be deserialized
15:59		pameyer	but "create abitraryly located files" is the kind of thing that it would be good to have one of the folks who's more of a java dev than me confirm
16:00		pameyer	good find, btw - this wasn't one that had crossed my radar before
16:00		donsizemore	securitydataverse.org, yes? $GOOG doesn't find it on their website
16:01		pameyer	that's the address I've been sending stuff to
16:01		donsizemore	thankee thankee
16:02		pameyer	no problem :)
16:02		pameyer	https://duckduckgo.com/ finds it on the first hit for "dataverse security"; odd that the great google doesn't
16:04		* donsizemore	longs for AltaVista
16:04		pameyer	that's a name I haven't heard in many years
16:04		donsizemore	I'm literally a greybeard these days.
16:21			andrewSC joined #dataverse
16:27			isullivan joined #dataverse
18:00			donsizemore joined #dataverse
18:08			jri joined #dataverse

← Previous day | Channels | #dataverse index | Today | Next day → | Search | Google Search | Plain-Text | plain, newest first | summary

Connect via chat.dataverse.org to discuss Dataverse (dataverse.org, an open source web application for sharing, citing, analyzing, and preserving research data) with users and developers.

Powered by ilbot, hosted by HMDC at The Institute for Quantitative Social Science (IQSS) at Harvard University.