[
https://issues.apache.org/jira/browse/MYFACES-4021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15031126#comment-15031126
]
Mark Struberg commented on MYFACES-4021:
----------------------------------------
The serialisation used to be required by the spec. But we do this actually
_before_ we store it in the Http session. The point is that you can only make
sure a view state is truly separated from the previous version by serialising
it. You kind of need to get a deep copy, otherwise changes done on references
will also modify old view states. This requirement only got dropped from the
spec as it was made clear that the RI itself doesn't implement it ;)
> blacklist
> org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan
> in MyFacesObjectInputStream
> -----------------------------------------------------------------------------------------------------------------------------
>
> Key: MYFACES-4021
> URL: https://issues.apache.org/jira/browse/MYFACES-4021
> Project: MyFaces Core
> Issue Type: Bug
> Reporter: Romain Manni-Bucau
> Priority: Blocker
>
> https://github.com/apache/incubator-batchee/commit/cfd133c309c21a82fb24cfcc9a7c2365aee4678a#diff-acd0bc06477ce776b0ad8fdda76f8b7eR56
> mecanism can be used
> (due to recent vulnerability discovered in [collections], spring, groovy we
> can't suppose we don't run with these libraries so we need this fix as well)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
