myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Moritz Bechler (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Commented] (MYFACES-4021) blacklist org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan in MyFacesObjectInputStream
Date Fri, 04 Dec 2015 11:20:11 GMT

    [ https://issues.apache.org/jira/browse/MYFACES-4021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15041435#comment-15041435
] 

Moritz Bechler commented on MYFACES-4021:
-----------------------------------------

Sorry for the delay. I was actually refering to the server side state saving mechanism where
only the view key is transferred to the client. The serialization/deserialization to/from
the session is not as bad, usually an attacker cannot control that (and one may assume that
things in the session will be serialized/deserialized by something else anyway). 

That view key is encoded as a string by KeyFactory, but if I didn't totally miss something,
serialized afterwards (HtmlResponseStateManager.getSavedState() ->  DefaultStateTokenProcessor.decode()
-> StateUtils.reconstruct() -> StateUtils.getAsObject()) and that I think might not
be totally necessary. The the deserialization on restore gives a vector for all the nice deserialization
attacks out there (if USE_ENCRYPTION=false).



> blacklist org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan
in  MyFacesObjectInputStream
> -----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MYFACES-4021
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4021
>             Project: MyFaces Core
>          Issue Type: Bug
>            Reporter: Romain Manni-Bucau
>            Priority: Blocker
>
> https://github.com/apache/incubator-batchee/commit/cfd133c309c21a82fb24cfcc9a7c2365aee4678a#diff-acd0bc06477ce776b0ad8fdda76f8b7eR56
mecanism can be used
> (due to recent vulnerability discovered in [collections], spring, groovy we can't suppose
we don't run with these libraries so we need this fix as well)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message