[MYFACES-4133] Don't deserialize the ViewState-ID if the state saving method is server - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.12
Fix Version/s: 2.3.0
Component/s: General
Labels:
None

Description

Currently the ViewState-ID provided by the user is deserialized via Java deserialization even when the javax.faces.STATE_SAVING_METHOD is set to server (the default).

The deserialization in this case is unecessary and most likely even slower than just sending the ViewState Id directly.
If a developer now disables the ViewState encryption by setting org.apache.myfaces.USE_ENCRYPTION to false (against the MyFaces security advice) he might have unintentionally introduced a dangerous remote code execution (RCE) vulnerability as described here.

This has been discussed before on Issue MYFACES-4021.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

trunk-r1817658-r1817806.patch
19/Dec/17 08:26
55 kB
Andy Gumbrecht
MYFACES-4133.patch
13/Sep/17 09:27
14 kB
Thomas Andraschko
2.1.x-r1817658-r1817712.patch
19/Dec/17 09:45
36 kB
Andy Gumbrecht

Activity

People

Assignee:: Thomas Andraschko

Reporter:: Peter Stöckli

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 15/Aug/17 15:53

Updated:: 29/Jan/18 20:04

Resolved:: 29/Jan/18 19:32