[jira] [Commented] (MYFACES-4021) blacklist org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan in MyFacesObjectInputStream

Leonardo Uribe (JIRA) Tue, 15 Dec 2015 16:05:30 -0800

    [ 
https://issues.apache.org/jira/browse/MYFACES-4021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15059154#comment-15059154
 ]


Leonardo Uribe commented on MYFACES-4021:
-----------------------------------------

I think it is not necessary to do anything in this case. There is a web config 
parameter called org.apache.myfaces.SERIAL_FACTORY that allows you to provide 
your custom factory and override MyFacesObjectInputStream with something else. 
Add a blacklist on the default deserializer sounds overkill. 

> blacklist 
> org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan
>  in  MyFacesObjectInputStream
> -----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MYFACES-4021
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4021
>             Project: MyFaces Core
>          Issue Type: Bug
>            Reporter: Romain Manni-Bucau
>            Priority: Blocker
>
> https://github.com/apache/incubator-batchee/commit/cfd133c309c21a82fb24cfcc9a7c2365aee4678a#diff-acd0bc06477ce776b0ad8fdda76f8b7eR56
>  mecanism can be used
> (due to recent vulnerability discovered in [collections], spring, groovy we 
> can't suppose we don't run with these libraries so we need this fix as well)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MYFACES-4021) blacklist org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan in MyFacesObjectInputStream

Reply via email to