accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Havanki (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ACCUMULO-1986) Validity checks missing for readFields and Thrift deserialization
Date Mon, 09 Dec 2013 15:52:07 GMT
Bill Havanki created ACCUMULO-1986:
--------------------------------------

             Summary: Validity checks missing for readFields and Thrift deserialization
                 Key: ACCUMULO-1986
                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1986
             Project: Accumulo
          Issue Type: Bug
            Reporter: Bill Havanki


Classes in o.a.a.core.data (and potentially elsewhere) that support construction from a Thrift
object and/or population from a {{DataInput}} (via a {{readFields()}} method) often lack data
validity checks that the classes' constructors enforce. The missing checks make it possible
for an attacker to create invalid objects by manipulating the bytes being read. The situation
is analogous to the need to check objects deserialized from their Java serialized form within
the {{readObject()}} method.



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Mime
View raw message