[ https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16708484#comment-16708484 ]
Mahendran commented on TAP5-2008: --------------------------------- How to apply this changes in tapestry 4.0.2 version. > Serialized object data stored on the client should be HMAC signed and > validated > ------------------------------------------------------------------------------- > > Key: TAP5-2008 > URL: https://issues.apache.org/jira/browse/TAP5-2008 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core > Affects Versions: 5.3.5, 5.4 > Reporter: Howard M. Lewis Ship > Assignee: Howard M. Lewis Ship > Priority: Major > Labels: fixed-in-5.4-js-rewrite, security > Fix For: 5.3.6, 5.4 > > > Tapestry encodes serialized objects into Base64 encoded strings that are > stored on the client; primarily, this is for form submissions, to encode the > set of operations needed to process the form when it is submitted. > However, Tapestry does not use any form of validation to ensure that the > encoded data has not been tampered with. It is relatively easy to create a > DOS attack by exploiting this. > Tapestry should use some form of HMAC (hash-based message authentication) to > ensure that the contents of such data are valid; the signing and validation > should occur after writing GZipped content, and before GZip decoding (it is > very easy to provide a small gzipped payload that expands to an enormous > size, for example; this is one form of DOS). -- This message was sent by Atlassian JIRA (v7.6.3#76005)