[ https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16710092#comment-16710092 ]
Thiago H. de Paula Figueiredo commented on TAP5-2008: ----------------------------------------------------- A patch cannot be successfully applied to a different codebase than the one it was created. Also, as far as I remember, Tapestry 4 doesn't serialize objects and put them in forms, so the problem itself doesn't apply to Tapestry 4 either. > Serialized object data stored on the client should be HMAC signed and > validated > ------------------------------------------------------------------------------- > > Key: TAP5-2008 > URL: https://issues.apache.org/jira/browse/TAP5-2008 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core > Affects Versions: 5.3.5, 5.4 > Reporter: Howard M. Lewis Ship > Assignee: Howard M. Lewis Ship > Priority: Major > Labels: fixed-in-5.4-js-rewrite, security > Fix For: 5.3.6, 5.4 > > > Tapestry encodes serialized objects into Base64 encoded strings that are > stored on the client; primarily, this is for form submissions, to encode the > set of operations needed to process the form when it is submitted. > However, Tapestry does not use any form of validation to ensure that the > encoded data has not been tampered with. It is relatively easy to create a > DOS attack by exploiting this. > Tapestry should use some form of HMAC (hash-based message authentication) to > ensure that the contents of such data are valid; the signing and validation > should occur after writing GZipped content, and before GZip decoding (it is > very easy to provide a small gzipped payload that expands to an enormous > size, for example; this is one form of DOS). -- This message was sent by Atlassian JIRA (v7.6.3#76005)