[
https://issues.apache.org/jira/browse/CLK-174?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Adrian A. updated CLK-174:
--------------------------
Fix Version/s: 3.0.0
> Security improvement of HiddenField
> -----------------------------------
>
> Key: CLK-174
> URL: https://issues.apache.org/jira/browse/CLK-174
> Project: Click
> Issue Type: Improvement
> Components: core
> Reporter: Sadanori Ito
> Assignee: Malcolm Edgar
> Fix For: 3.0.0
>
> Attachments: ASF.LICENSE.NOT.GRANTED--hiddenfield-security-patch.txt
>
>
> I'm not security professional, but I think that the HiddenField has
> a security problem. When Serializable non-primitive objects is rendered,
> we can decode the hidden value and edit the serialized data using binary
> editor.
> This patch is not the perfect solution, but will be better option.
> Known issues in this patch:
> * Using a session to store the cryptographic key.
> -> When the session does time-out, the hidden value can't be decrypted.
> * Default flag (not secure, for compatibility ?)
> * Performance
> Reference:
> "Security in Object Serialization"
>
> http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/security.html#2527
> "A.8 Encrypting a Bytestream"
>
> http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/security.html#4346
--
This message was sent by Atlassian JIRA
(v6.1#6144)
