[
https://issues.apache.org/jira/browse/TAP5-1988?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Howard M. Lewis Ship updated TAP5-1988:
---------------------------------------
Description:
An unsolicited security review arrived concerning Tapestry; both core code, and
the GSoC project that provides anti-CSRF (cross-site forgery protection).
Although I am dubious about the "gzip bombs" allegation, it can be addressed.
In theory, because the contents are an object stream, the objects could be
replaced. In practice, all objects need to implement a Tapestry-specific
interface (ComponentAction) which means that arbitrary objects can not be
injected; only objects that are already present on the classpath of the running
application AND implement the ComponentAction interface could be injected. An
attacker would already have "the keys to the kingdom" before they could do
damage .. that is, if they can manipulate the classpath of the running
application, they already have the ability to deploy any code, or access
internal servers directly.
However, I would see this as an opportunity to remove the t:state:client
("client" PersistentFieldStrategy implementation).
was:
An unsolicited security review arrived from Matta concerning Tapestry; both
core code, and the GSoC project that provides anti-CSRF (cross-site forgery
protection).
Although I am dubious about the "gzip bombs" allegation, it can be addressed.
In theory, because the contents are an object stream, the objects could be
replaced. In practice, all objects need to implement a Tapestry-specific
interface (ComponentAction) which means that arbitrary objects can not be
injected; only objects that are already present on the classpath of the running
application AND implement the ComponentAction interface could be injected. An
attacker would already have "the keys to the kingdom" before they could do
damage .. that is, if they can manipulate the classpath of the running
application, they already have the ability to deploy any code, or access
internal servers directly.
However, I would see this as an opportunity to remove the t:state:client
("client" PersistentFieldStrategy implementation).
> Tapestry Security Violations
> ----------------------------
>
> Key: TAP5-1988
> URL: https://issues.apache.org/jira/browse/TAP5-1988
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.3, 5.4
> Reporter: Howard M. Lewis Ship
> Labels: security
>
> An unsolicited security review arrived concerning Tapestry; both core code,
> and the GSoC project that provides anti-CSRF (cross-site forgery protection).
> Although I am dubious about the "gzip bombs" allegation, it can be addressed.
> In theory, because the contents are an object stream, the objects could be
> replaced. In practice, all objects need to implement a Tapestry-specific
> interface (ComponentAction) which means that arbitrary objects can not be
> injected; only objects that are already present on the classpath of the
> running application AND implement the ComponentAction interface could be
> injected. An attacker would already have "the keys to the kingdom" before
> they could do damage .. that is, if they can manipulate the classpath of the
> running application, they already have the ability to deploy any code, or
> access internal servers directly.
> However, I would see this as an opportunity to remove the t:state:client
> ("client" PersistentFieldStrategy implementation).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
