You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tapestry.apache.org by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org> on 2012/10/04 20:55:47 UTC
[jira] [Updated] (TAP5-2008) Serialized object data stored on the
client should be HMAC signed and validated
[ https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship updated TAP5-2008:
---------------------------------------
Labels: fixed-in-5.4-js-rewrite security (was: security)
> Serialized object data stored on the client should be HMAC signed and validated
> -------------------------------------------------------------------------------
>
> Key: TAP5-2008
> URL: https://issues.apache.org/jira/browse/TAP5-2008
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.3.5, 5.4
> Reporter: Howard M. Lewis Ship
> Assignee: Howard M. Lewis Ship
> Labels: fixed-in-5.4-js-rewrite, security
> Fix For: 5.3.6
>
>
> Tapestry encodes serialized objects into Base64 encoded strings that are stored on the client; primarily, this is for form submissions, to encode the set of operations needed to process the form when it is submitted.
> However, Tapestry does not use any form of validation to ensure that the encoded data has not been tampered with. It is relatively easy to create a DOS attack by exploiting this.
> Tapestry should use some form of HMAC (hash-based message authentication) to ensure that the contents of such data are valid; the signing and validation should occur after writing GZipped content, and before GZip decoding (it is very easy to provide a small gzipped payload that expands to an enormous size, for example; this is one form of DOS).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira