accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-1986) Validity checks missing for readFields and Thrift deserialization
Date Wed, 18 Dec 2013 14:54:16 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-1986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13851793#comment-13851793
] 

ASF subversion and git services commented on ACCUMULO-1986:
-----------------------------------------------------------

Commit 2d97b875a90a63060bbda7c9e6d7e79e68de1ae2 in branch refs/heads/master from [~ecn]
[ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=2d97b87 ]

ACCUMULO-1986 merge failed to pull null pointer checks from 1.4


> Validity checks missing for readFields and Thrift deserialization
> -----------------------------------------------------------------
>
>                 Key: ACCUMULO-1986
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1986
>             Project: Accumulo
>          Issue Type: Bug
>            Reporter: Bill Havanki
>            Assignee: Bill Havanki
>              Labels: serialization, thrift, validation
>             Fix For: 1.4.5
>
>         Attachments: ACCUMULO-1986.patch, examined-classes.txt
>
>
> Classes in o.a.a.core.data (and potentially elsewhere) that support construction from
a Thrift object and/or population from a {{DataInput}} (via a {{readFields()}} method) often
lack data validity checks that the classes' constructors enforce. The missing checks make
it possible for an attacker to create invalid objects by manipulating the bytes being read.
The situation is analogous to the need to check objects deserialized from their Java serialized
form within the {{readObject()}} method.



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Mime
View raw message