Side note: Why would anyone turn off client side encryption?
Sounds like a very poor idea > 27 nov. 2015 kl. 19:11 skrev Moritz Bechler (JIRA) <[email protected]>: > > > [ > https://issues.apache.org/jira/browse/MYFACES-4021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15030127#comment-15030127 > ] > > Moritz Bechler commented on MYFACES-4021: > ----------------------------------------- > > Yeah, agreed on both points (at least as long HMAC-SHA1 holds), but if I'm > not mistaken this currently also affects server side state saving with > encryption/MAC disabled. And that might actually be used by a few people (at > least google shows some results indicating this) - regardless whether that's > a good idea. > But, I think for that case it might be very well possible to use whitelisting > or even completely get rid of the deserialization there. > >> blacklist >> org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan >> in MyFacesObjectInputStream >> ----------------------------------------------------------------------------------------------------------------------------- >> >> Key: MYFACES-4021 >> URL: https://issues.apache.org/jira/browse/MYFACES-4021 >> Project: MyFaces Core >> Issue Type: Bug >> Reporter: Romain Manni-Bucau >> Priority: Blocker >> >> https://github.com/apache/incubator-batchee/commit/cfd133c309c21a82fb24cfcc9a7c2365aee4678a#diff-acd0bc06477ce776b0ad8fdda76f8b7eR56 >> mecanism can be used >> (due to recent vulnerability discovered in [collections], spring, groovy we >> can't suppose we don't run with these libraries so we need this fix as well) > > > > -- > This message was sent by Atlassian JIRA > (v6.3.4#6332)
