You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org> on 2012/10/04 20:17:47 UTC
[jira] [Created] (TAP5-2008) Serialized object data stored on the
client should be HMAC signed and validated
Howard M. Lewis Ship created TAP5-2008:
------------------------------------------
Summary: Serialized object data stored on the client should be HMAC signed and validated
Key: TAP5-2008
URL: https://issues.apache.org/jira/browse/TAP5-2008
Project: Tapestry 5
Issue Type: Bug
Components: tapestry-core
Affects Versions: 5.3.5, 5.4
Reporter: Howard M. Lewis Ship
Tapestry encodes serialized objects into Base64 encoded strings that are stored on the client; primarily, this is for form submissions, to encode the set of operations needed to process the form when it is submitted.
However, Tapestry does not use any form of validation to ensure that the encoded data has not been tampered with. It is relatively easy to create a DOS attack by exploiting this.
Tapestry should use some form of HMAC (hash-based message authentication) to ensure that the contents of such data are valid; the signing and validation should occur after writing GZipped content, and before GZip decoding (it is very easy to provide a small gzipped payload that expands to an enormous size, for example; this is one form of DOS).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (TAP5-2008) Serialized object data stored on the
client should be HMAC signed and validated
Posted by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship resolved TAP5-2008.
----------------------------------------
Resolution: Fixed
Fix Version/s: 5.3.6
> Serialized object data stored on the client should be HMAC signed and validated
> -------------------------------------------------------------------------------
>
> Key: TAP5-2008
> URL: https://issues.apache.org/jira/browse/TAP5-2008
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.3.5, 5.4
> Reporter: Howard M. Lewis Ship
> Assignee: Howard M. Lewis Ship
> Labels: fixed-in-5.4-js-rewrite, security
> Fix For: 5.3.6
>
>
> Tapestry encodes serialized objects into Base64 encoded strings that are stored on the client; primarily, this is for form submissions, to encode the set of operations needed to process the form when it is submitted.
> However, Tapestry does not use any form of validation to ensure that the encoded data has not been tampered with. It is relatively easy to create a DOS attack by exploiting this.
> Tapestry should use some form of HMAC (hash-based message authentication) to ensure that the contents of such data are valid; the signing and validation should occur after writing GZipped content, and before GZip decoding (it is very easy to provide a small gzipped payload that expands to an enormous size, for example; this is one form of DOS).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TAP5-2008) Serialized object data stored on the
client should be HMAC signed and validated
Posted by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship updated TAP5-2008:
---------------------------------------
Labels: fixed-in-5.4-js-rewrite security (was: security)
> Serialized object data stored on the client should be HMAC signed and validated
> -------------------------------------------------------------------------------
>
> Key: TAP5-2008
> URL: https://issues.apache.org/jira/browse/TAP5-2008
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.3.5, 5.4
> Reporter: Howard M. Lewis Ship
> Assignee: Howard M. Lewis Ship
> Labels: fixed-in-5.4-js-rewrite, security
> Fix For: 5.3.6
>
>
> Tapestry encodes serialized objects into Base64 encoded strings that are stored on the client; primarily, this is for form submissions, to encode the set of operations needed to process the form when it is submitted.
> However, Tapestry does not use any form of validation to ensure that the encoded data has not been tampered with. It is relatively easy to create a DOS attack by exploiting this.
> Tapestry should use some form of HMAC (hash-based message authentication) to ensure that the contents of such data are valid; the signing and validation should occur after writing GZipped content, and before GZip decoding (it is very easy to provide a small gzipped payload that expands to an enormous size, for example; this is one form of DOS).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (TAP5-2008) Serialized object data stored on the
client should be HMAC signed and validated
Posted by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship resolved TAP5-2008.
----------------------------------------
Resolution: Fixed
Fix Version/s: 5.3.6
> Serialized object data stored on the client should be HMAC signed and validated
> -------------------------------------------------------------------------------
>
> Key: TAP5-2008
> URL: https://issues.apache.org/jira/browse/TAP5-2008
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.3.5, 5.4
> Reporter: Howard M. Lewis Ship
> Assignee: Howard M. Lewis Ship
> Labels: fixed-in-5.4-js-rewrite, security
> Fix For: 5.3.6
>
>
> Tapestry encodes serialized objects into Base64 encoded strings that are stored on the client; primarily, this is for form submissions, to encode the set of operations needed to process the form when it is submitted.
> However, Tapestry does not use any form of validation to ensure that the encoded data has not been tampered with. It is relatively easy to create a DOS attack by exploiting this.
> Tapestry should use some form of HMAC (hash-based message authentication) to ensure that the contents of such data are valid; the signing and validation should occur after writing GZipped content, and before GZip decoding (it is very easy to provide a small gzipped payload that expands to an enormous size, for example; this is one form of DOS).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (TAP5-2008) Serialized object data stored on the
client should be HMAC signed and validated
Posted by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship reassigned TAP5-2008:
------------------------------------------
Assignee: Howard M. Lewis Ship
> Serialized object data stored on the client should be HMAC signed and validated
> -------------------------------------------------------------------------------
>
> Key: TAP5-2008
> URL: https://issues.apache.org/jira/browse/TAP5-2008
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.3.5, 5.4
> Reporter: Howard M. Lewis Ship
> Assignee: Howard M. Lewis Ship
> Labels: security
>
> Tapestry encodes serialized objects into Base64 encoded strings that are stored on the client; primarily, this is for form submissions, to encode the set of operations needed to process the form when it is submitted.
> However, Tapestry does not use any form of validation to ensure that the encoded data has not been tampered with. It is relatively easy to create a DOS attack by exploiting this.
> Tapestry should use some form of HMAC (hash-based message authentication) to ensure that the contents of such data are valid; the signing and validation should occur after writing GZipped content, and before GZip decoding (it is very easy to provide a small gzipped payload that expands to an enormous size, for example; this is one form of DOS).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TAP5-2008) Serialized object data stored on the
client should be HMAC signed and validated
Posted by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship updated TAP5-2008:
---------------------------------------
Labels: fixed-in-5.4-js-rewrite security (was: security)
> Serialized object data stored on the client should be HMAC signed and validated
> -------------------------------------------------------------------------------
>
> Key: TAP5-2008
> URL: https://issues.apache.org/jira/browse/TAP5-2008
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.3.5, 5.4
> Reporter: Howard M. Lewis Ship
> Assignee: Howard M. Lewis Ship
> Labels: fixed-in-5.4-js-rewrite, security
> Fix For: 5.3.6
>
>
> Tapestry encodes serialized objects into Base64 encoded strings that are stored on the client; primarily, this is for form submissions, to encode the set of operations needed to process the form when it is submitted.
> However, Tapestry does not use any form of validation to ensure that the encoded data has not been tampered with. It is relatively easy to create a DOS attack by exploiting this.
> Tapestry should use some form of HMAC (hash-based message authentication) to ensure that the contents of such data are valid; the signing and validation should occur after writing GZipped content, and before GZip decoding (it is very easy to provide a small gzipped payload that expands to an enormous size, for example; this is one form of DOS).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (TAP5-2008) Serialized object data stored on the
client should be HMAC signed and validated
Posted by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship reassigned TAP5-2008:
------------------------------------------
Assignee: Howard M. Lewis Ship
> Serialized object data stored on the client should be HMAC signed and validated
> -------------------------------------------------------------------------------
>
> Key: TAP5-2008
> URL: https://issues.apache.org/jira/browse/TAP5-2008
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.3.5, 5.4
> Reporter: Howard M. Lewis Ship
> Assignee: Howard M. Lewis Ship
> Labels: security
>
> Tapestry encodes serialized objects into Base64 encoded strings that are stored on the client; primarily, this is for form submissions, to encode the set of operations needed to process the form when it is submitted.
> However, Tapestry does not use any form of validation to ensure that the encoded data has not been tampered with. It is relatively easy to create a DOS attack by exploiting this.
> Tapestry should use some form of HMAC (hash-based message authentication) to ensure that the contents of such data are valid; the signing and validation should occur after writing GZipped content, and before GZip decoding (it is very easy to provide a small gzipped payload that expands to an enormous size, for example; this is one form of DOS).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira