[
https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16710092#comment-16710092
]
Thiago H. de Paula Figueiredo commented on TAP5-2008:
-----------------------------------------------------
A patch cannot be successfully applied to a different codebase than the one it
was created. Also, as far as I remember, Tapestry 4 doesn't serialize objects
and put them in forms, so the problem itself doesn't apply to Tapestry 4 either.
> Serialized object data stored on the client should be HMAC signed and
> validated
> -------------------------------------------------------------------------------
>
> Key: TAP5-2008
> URL: https://issues.apache.org/jira/browse/TAP5-2008
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.3.5, 5.4
> Reporter: Howard M. Lewis Ship
> Assignee: Howard M. Lewis Ship
> Priority: Major
> Labels: fixed-in-5.4-js-rewrite, security
> Fix For: 5.3.6, 5.4
>
>
> Tapestry encodes serialized objects into Base64 encoded strings that are
> stored on the client; primarily, this is for form submissions, to encode the
> set of operations needed to process the form when it is submitted.
> However, Tapestry does not use any form of validation to ensure that the
> encoded data has not been tampered with. It is relatively easy to create a
> DOS attack by exploiting this.
> Tapestry should use some form of HMAC (hash-based message authentication) to
> ensure that the contents of such data are valid; the signing and validation
> should occur after writing GZipped content, and before GZip decoding (it is
> very easy to provide a small gzipped payload that expands to an enormous
> size, for example; this is one form of DOS).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
