accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Havanki (JIRA)" <>
Subject [jira] [Updated] (ACCUMULO-1986) Validity checks missing for readFields and Thrift deserialization
Date Thu, 12 Dec 2013 20:09:09 GMT


Bill Havanki updated ACCUMULO-1986:

    Attachment: examined-classes.txt

Attaching notes on 1.4.x classes that I examined for safe readFields and Thrift deserialization.
This is to help others find out, for example, if I checked a particular class.

> Validity checks missing for readFields and Thrift deserialization
> -----------------------------------------------------------------
>                 Key: ACCUMULO-1986
>                 URL:
>             Project: Accumulo
>          Issue Type: Bug
>            Reporter: Bill Havanki
>            Assignee: Bill Havanki
>              Labels: serialization, thrift, validation
>         Attachments: examined-classes.txt
> Classes in (and potentially elsewhere) that support construction from
a Thrift object and/or population from a {{DataInput}} (via a {{readFields()}} method) often
lack data validity checks that the classes' constructors enforce. The missing checks make
it possible for an attacker to create invalid objects by manipulating the bytes being read.
The situation is analogous to the need to check objects deserialized from their Java serialized
form within the {{readObject()}} method.

This message was sent by Atlassian JIRA

View raw message