Peter Stöckli created MYFACES-4133:
--------------------------------------
Summary: Don't deserialize the client provided ViewState if the
state saving method is server
Key: MYFACES-4133
URL: https://issues.apache.org/jira/browse/MYFACES-4133
Project: MyFaces Core
Issue Type: Bug
Components: General
Affects Versions: 2.2.12
Reporter: Peter Stöckli
Currently the ViewState provided by the user is deserialized via Java
deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
{{server}} (the default).
The deserialization in this case is unecessary and most likely even slower than
just sending the ViewState Id directly.
If a developer now disables the ViewState encryption by setting
{{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
might have unintentionally introduced a dangerous remote code execution (RCE)
vulnerability as described
[here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
This has been discussed before on [Issue
MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
