[
https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16709990#comment-16709990
]
Thiago H. de Paula Figueiredo commented on TAP5-2008:
-----------------------------------------------------
Hello, [[email protected]]!
Tapestry 4 and Tapestry 5 have completely different codebases, so you cannot
apply these changes to Tapestry 4.0.2.
> Serialized object data stored on the client should be HMAC signed and
> validated
> -------------------------------------------------------------------------------
>
> Key: TAP5-2008
> URL: https://issues.apache.org/jira/browse/TAP5-2008
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.3.5, 5.4
> Reporter: Howard M. Lewis Ship
> Assignee: Howard M. Lewis Ship
> Priority: Major
> Labels: fixed-in-5.4-js-rewrite, security
> Fix For: 5.3.6, 5.4
>
>
> Tapestry encodes serialized objects into Base64 encoded strings that are
> stored on the client; primarily, this is for form submissions, to encode the
> set of operations needed to process the form when it is submitted.
> However, Tapestry does not use any form of validation to ensure that the
> encoded data has not been tampered with. It is relatively easy to create a
> DOS attack by exploiting this.
> Tapestry should use some form of HMAC (hash-based message authentication) to
> ensure that the contents of such data are valid; the signing and validation
> should occur after writing GZipped content, and before GZip decoding (it is
> very easy to provide a small gzipped payload that expands to an enormous
> size, for example; this is one form of DOS).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
