Protect serialized object blobs from being tampered by external user
--------------------------------------------------------------------
Key: TAPESTRY-2482
URL: https://issues.apache.org/jira/browse/TAPESTRY-2482
Project: Tapestry
Issue Type: Improvement
Components: Core Components
Affects Versions: 5.0.13
Reporter: Martijn Brinkers
Using ClientPersistentFieldStorage (t:state:client parameter) an external user
can
'inject' arbitary serialiable objects.
An external user can inject for example a very big byte array consuming a lot
of memory.
One solution would be to add a keyed secure hash (HMAC to be precise) to the
binary blob to Tapestry can detect that the blob has been tampered with. It be
nice if the packing/unpacking (currently done by Base64ObjectInputStream) would
be serviced (that is make it a service) so it would be easy to override this
behaviour.
Same applies to t:formdata although the impact is less because it only accepts
objects implementing ComponentAction.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
