[
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leonardo Uribe reopened MYFACES-4133:
-------------------------------------
There are some details we need to discuss with the patch.
The following classes were removed:
StateTokenProcessor
IntIntSerializedViewKey
CounterSessionViewStorageFactory
IntByteArraySerializedViewKey
CounterKeyFactory
And some new methods were added to StateCache. This requires a discussion on
dev list, but I need to review the improvements proposed first.
> Don't deserialize the ViewState-ID if the state saving method is server
> -----------------------------------------------------------------------
>
> Key: MYFACES-4133
> URL: https://issues.apache.org/jira/browse/MYFACES-4133
> Project: MyFaces Core
> Issue Type: Improvement
> Components: General
> Affects Versions: 2.2.12
> Reporter: Peter Stöckli
> Assignee: Thomas Andraschko
> Fix For: 2.3.0
>
> Attachments: 2.1.x-r1817658-r1817712.patch, MYFACES-4133.patch,
> trunk-r1817658-r1817806.patch
>
>
> Currently the ViewState-ID provided by the user is deserialized via Java
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
> might have unintentionally introduced a dangerous remote code execution (RCE)
> vulnerability as described
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
