myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Struberg (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Commented] (MYFACES-4021) blacklist org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan in MyFacesObjectInputStream
Date Sun, 29 Nov 2015 18:37:11 GMT

    [ https://issues.apache.org/jira/browse/MYFACES-4021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15031126#comment-15031126
] 

Mark Struberg commented on MYFACES-4021:
----------------------------------------

The serialisation used to be required by the spec. But we do this actually _before_ we store
it in the Http session. The point is that you can only make sure a view state is truly separated
from the previous version by serialising it. You kind of need to get a deep copy, otherwise
changes done on references will also modify old view states. This requirement only got dropped
from the spec as it was made clear that the RI itself doesn't implement it ;)

> blacklist org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan
in  MyFacesObjectInputStream
> -----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MYFACES-4021
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4021
>             Project: MyFaces Core
>          Issue Type: Bug
>            Reporter: Romain Manni-Bucau
>            Priority: Blocker
>
> https://github.com/apache/incubator-batchee/commit/cfd133c309c21a82fb24cfcc9a7c2365aee4678a#diff-acd0bc06477ce776b0ad8fdda76f8b7eR56
mecanism can be used
> (due to recent vulnerability discovered in [collections], spring, groovy we can't suppose
we don't run with these libraries so we need this fix as well)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message