[
https://issues.apache.org/jira/browse/ACCUMULO-1986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13851788#comment-13851788
]
ASF subversion and git services commented on ACCUMULO-1986:
-----------------------------------------------------------
Commit adee0f129f66c346e026b1803793caa233d29930 in branch
refs/heads/1.6.0-SNAPSHOT from [~bhavanki]
[ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=adee0f1 ]
ACCUMULO-1986 Add data integrity checks to Key and Mutation
This change adds checks to the constructors for Key and Mutations which
take in Thrift data structures to ensure that required fields are not
null. These checks prevent creation of invalid objects from modified
Thrift structures.
Signed-off-by: Eric Newton <[email protected]>
> Validity checks missing for readFields and Thrift deserialization
> -----------------------------------------------------------------
>
> Key: ACCUMULO-1986
> URL: https://issues.apache.org/jira/browse/ACCUMULO-1986
> Project: Accumulo
> Issue Type: Bug
> Reporter: Bill Havanki
> Assignee: Bill Havanki
> Labels: serialization, thrift, validation
> Fix For: 1.4.5
>
> Attachments: ACCUMULO-1986.patch, examined-classes.txt
>
>
> Classes in o.a.a.core.data (and potentially elsewhere) that support
> construction from a Thrift object and/or population from a {{DataInput}} (via
> a {{readFields()}} method) often lack data validity checks that the classes'
> constructors enforce. The missing checks make it possible for an attacker to
> create invalid objects by manipulating the bytes being read. The situation is
> analogous to the need to check objects deserialized from their Java
> serialized form within the {{readObject()}} method.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
