[
https://issues.apache.org/jira/browse/MYFACES-4021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15029853#comment-15029853
]
Moritz Bechler commented on MYFACES-4021:
-----------------------------------------
Me neither, I'd guess with server side state saving that is only used for the
view id (so that would be easy) but with client side state saving that could be
pretty much anything.
(And yes, this is very reachable when org.apache.myfaces.USE_ENCRYPTION=false)
I've been doing some research on this vulnerability class over the past weeks
and imho a really fundamental discussion about serialization and it's use is
necessary in the java community. But so far nobody seems to be listening (and
I'm also not quite sure what an appropriate place might be).
> blacklist
> org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan
> in MyFacesObjectInputStream
> -----------------------------------------------------------------------------------------------------------------------------
>
> Key: MYFACES-4021
> URL: https://issues.apache.org/jira/browse/MYFACES-4021
> Project: MyFaces Core
> Issue Type: Bug
> Reporter: Romain Manni-Bucau
> Priority: Blocker
>
> https://github.com/apache/incubator-batchee/commit/cfd133c309c21a82fb24cfcc9a7c2365aee4678a#diff-acd0bc06477ce776b0ad8fdda76f8b7eR56
> mecanism can be used
> (due to recent vulnerability discovered in [collections], spring, groovy we
> can't suppose we don't run with these libraries so we need this fix as well)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
