Uploaded image for project: 'MyFaces Core'
  1. MyFaces Core
  2. MYFACES-4133

Don't deserialize the ViewState-ID if the state saving method is server

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.2.12
    • 2.3.0
    • General
    • None

    Description

      Currently the ViewState-ID provided by the user is deserialized via Java deserialization even when the javax.faces.STATE_SAVING_METHOD is set to server (the default).

      The deserialization in this case is unecessary and most likely even slower than just sending the ViewState Id directly.
      If a developer now disables the ViewState encryption by setting org.apache.myfaces.USE_ENCRYPTION to false (against the MyFaces security advice) he might have unintentionally introduced a dangerous remote code execution (RCE) vulnerability as described here.

      This has been discussed before on Issue MYFACES-4021.

      Attachments

        1. 2.1.x-r1817658-r1817712.patch
          36 kB
          Andy Gumbrecht
        2. MYFACES-4133.patch
          14 kB
          Thomas Andraschko
        3. trunk-r1817658-r1817806.patch
          55 kB
          Andy Gumbrecht

        Activity

          People

            tandraschko Thomas Andraschko
            stockli Peter Stöckli
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: