[
https://issues.apache.org/jira/browse/ACCUMULO-1986?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Newton updated ACCUMULO-1986:
----------------------------------
Resolution: Fixed
Fix Version/s: 1.6.0
1.5.1
Status: Resolved (was: Patch Available)
> Validity checks missing for readFields and Thrift deserialization
> -----------------------------------------------------------------
>
> Key: ACCUMULO-1986
> URL: https://issues.apache.org/jira/browse/ACCUMULO-1986
> Project: Accumulo
> Issue Type: Bug
> Reporter: Bill Havanki
> Assignee: Bill Havanki
> Labels: serialization, thrift, validation
> Fix For: 1.4.5, 1.5.1, 1.6.0
>
> Attachments: ACCUMULO-1986.patch, examined-classes.txt
>
>
> Classes in o.a.a.core.data (and potentially elsewhere) that support
> construction from a Thrift object and/or population from a {{DataInput}} (via
> a {{readFields()}} method) often lack data validity checks that the classes'
> constructors enforce. The missing checks make it possible for an attacker to
> create invalid objects by manipulating the bytes being read. The situation is
> analogous to the need to check objects deserialized from their Java
> serialized form within the {{readObject()}} method.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
