You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tapestry.apache.org by "Martijn Brinkers (JIRA)" <de...@tapestry.apache.org> on 2008/06/25 22:04:45 UTC

[jira] Created: (TAPESTRY-2482) Protect serialized object blobs from being tampered by external user

Protect serialized object blobs from being tampered by external user
--------------------------------------------------------------------

                 Key: TAPESTRY-2482
                 URL: https://issues.apache.org/jira/browse/TAPESTRY-2482
             Project: Tapestry
          Issue Type: Improvement
          Components: Core Components
    Affects Versions: 5.0.13
            Reporter: Martijn Brinkers


Using ClientPersistentFieldStorage (t:state:client parameter) an external user can
'inject' arbitary serialiable objects.
An external user can inject for example a very big byte array consuming a lot of memory. 

One solution would be to add a keyed secure hash (HMAC to be precise) to the binary blob to Tapestry can detect that the blob has been tampered with. It be nice if the packing/unpacking (currently done by Base64ObjectInputStream) would be serviced (that is make it a service) so it would be easy to override this behaviour. 

Same applies to t:formdata although the impact is less because it only accepts objects implementing ComponentAction.   

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

[jira] Updated: (TAPESTRY-2482) Protect serialized object blobs from being tampered by external user

Posted by "Howard M. Lewis Ship (JIRA)" <de...@tapestry.apache.org>.

     [ https://issues.apache.org/jira/browse/TAPESTRY-2482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Howard M. Lewis Ship updated TAPESTRY-2482:
-------------------------------------------

    Fix Version/s: 5.1

> Protect serialized object blobs from being tampered by external user
> --------------------------------------------------------------------
>
>                 Key: TAPESTRY-2482
>                 URL: https://issues.apache.org/jira/browse/TAPESTRY-2482
>             Project: Tapestry
>          Issue Type: Improvement
>          Components: Core Components
>    Affects Versions: 5.0.13
>            Reporter: Martijn Brinkers
>             Fix For: 5.1
>
>
> Using ClientPersistentFieldStorage (t:state:client parameter) an external user can
> 'inject' arbitary serialiable objects.
> An external user can inject for example a very big byte array consuming a lot of memory. 
> One solution would be to add a keyed secure hash (HMAC to be precise) to the binary blob to Tapestry can detect that the blob has been tampered with. It be nice if the packing/unpacking (currently done by Base64ObjectInputStream) would be serviced (that is make it a service) so it would be easy to override this behaviour. 
> Same applies to t:formdata although the impact is less because it only accepts objects implementing ComponentAction.   

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

[jira] Commented: (TAPESTRY-2482) Protect serialized object blobs from being tampered by external user

Posted by "Martijn Brinkers (JIRA)" <de...@tapestry.apache.org>.

    [ https://issues.apache.org/jira/browse/TAPESTRY-2482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12622659#action_12622659 ] 

Martijn Brinkers commented on TAPESTRY-2482:
--------------------------------------------

My solution for this can be found at http://wiki.apache.org/tapestry/Tapestry5PreventClientSideChanges


> Protect serialized object blobs from being tampered by external user
> --------------------------------------------------------------------
>
>                 Key: TAPESTRY-2482
>                 URL: https://issues.apache.org/jira/browse/TAPESTRY-2482
>             Project: Tapestry
>          Issue Type: Improvement
>          Components: Core Components
>    Affects Versions: 5.0.13
>            Reporter: Martijn Brinkers
>
> Using ClientPersistentFieldStorage (t:state:client parameter) an external user can
> 'inject' arbitary serialiable objects.
> An external user can inject for example a very big byte array consuming a lot of memory. 
> One solution would be to add a keyed secure hash (HMAC to be precise) to the binary blob to Tapestry can detect that the blob has been tampered with. It be nice if the packing/unpacking (currently done by Base64ObjectInputStream) would be serviced (that is make it a service) so it would be easy to override this behaviour. 
> Same applies to t:formdata although the impact is less because it only accepts objects implementing ComponentAction.   

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

[jira] Updated: (TAP5-111) Protect serialized object blobs from being tampered by external user

Posted by "Howard M. Lewis Ship (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/TAP5-111?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Howard M. Lewis Ship updated TAP5-111:
--------------------------------------

    Issue Type: New Feature  (was: Bug)

> Protect serialized object blobs from being tampered by external user
> --------------------------------------------------------------------
>
>                 Key: TAP5-111
>                 URL: https://issues.apache.org/jira/browse/TAP5-111
>             Project: Tapestry 5
>          Issue Type: New Feature
>    Affects Versions: 5.0.15
>            Reporter: Martijn Brinkers
>
> Using ClientPersistentFieldStorage (t:state:client parameter) an external user can
> 'inject' arbitary serialiable objects.
> An external user can inject for example a very big byte array consuming a lot of memory. 
> One solution would be to add a keyed secure hash (HMAC to be precise) to the binary blob to Tapestry can detect that the blob has been tampered with. It be nice if the packing/unpacking (currently done by Base64ObjectInputStream) would be serviced (that is make it a service) so it would be easy to override this behaviour. 
> Same applies to t:formdata although the impact is less because it only accepts objects implementing ComponentAction.   

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org