Uploaded image for project: 'MyFaces Core'
  1. MyFaces Core
  2. MYFACES-4133

Don't deserialize the ViewState-ID if the state saving method is server

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.12
    • Fix Version/s: 2.3.0
    • Component/s: General
    • Labels:
      None

      Description

      Currently the ViewState-ID provided by the user is deserialized via Java deserialization even when the javax.faces.STATE_SAVING_METHOD is set to server (the default).

      The deserialization in this case is unecessary and most likely even slower than just sending the ViewState Id directly.
      If a developer now disables the ViewState encryption by setting org.apache.myfaces.USE_ENCRYPTION to false (against the MyFaces security advice) he might have unintentionally introduced a dangerous remote code execution (RCE) vulnerability as described here.

      This has been discussed before on Issue MYFACES-4021.

        Attachments

        1. trunk-r1817658-r1817806.patch
          55 kB
          Andy Gumbrecht
        2. MYFACES-4133.patch
          14 kB
          Thomas Andraschko
        3. 2.1.x-r1817658-r1817712.patch
          36 kB
          Andy Gumbrecht

          Activity

            People

            • Assignee:
              tandraschko Thomas Andraschko
              Reporter:
              stockli Peter Stöckli
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: