Return-Path: 
 <notifications-return-13382-apmail-accumulo-notifications-archive=accumulo.apache.org@accumulo.apache.org>
X-Original-To: apmail-accumulo-notifications-archive@minotaur.apache.org
Delivered-To: apmail-accumulo-notifications-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C05171099F
	for <apmail-accumulo-notifications-archive@minotaur.apache.org>;
 Wed, 11 Dec 2013 21:54:07 +0000 (UTC)
Received: (qmail 95408 invoked by uid 500); 11 Dec 2013 21:54:07 -0000
Delivered-To: apmail-accumulo-notifications-archive@accumulo.apache.org
Received: (qmail 95361 invoked by uid 500); 11 Dec 2013 21:54:07 -0000
Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:notifications-help@accumulo.apache.org>
List-Unsubscribe: <mailto:notifications-unsubscribe@accumulo.apache.org>
List-Post: <mailto:notifications@accumulo.apache.org>
List-Id: <notifications.accumulo.apache.org>
Reply-To: jira@apache.org
Delivered-To: mailing list notifications@accumulo.apache.org
Received: (qmail 95177 invoked by uid 99); 11 Dec 2013 21:54:07 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Dec 2013 21:54:07 +0000
Date: Wed, 11 Dec 2013 21:54:07 +0000 (UTC)
From: "Bill Havanki (JIRA)" <jira@apache.org>
To: notifications@accumulo.apache.org
Message-ID: <JIRA.12683620.1386604303352.19818.1386798847560@arcas>
In-Reply-To: <JIRA.12683620.1386604303352@arcas>
References: <JIRA.12683620.1386604303352@arcas>
Subject: [jira] [Assigned] (ACCUMULO-1986) Validity checks missing for
 readFields and Thrift deserialization
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/ACCUMULO-1986?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bill Havanki reassigned ACCUMULO-1986:
--------------------------------------

    Assignee: Bill Havanki

> Validity checks missing for readFields and Thrift deserialization
> -----------------------------------------------------------------
>
>                 Key: ACCUMULO-1986
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1986
>             Project: Accumulo
>          Issue Type: Bug
>            Reporter: Bill Havanki
>            Assignee: Bill Havanki
>              Labels: serialization, thrift, validation
>
> Classes in o.a.a.core.data (and potentially elsewhere) that support construction from a Thrift object and/or population from a {{DataInput}} (via a {{readFields()}} method) often lack data validity checks that the classes' constructors enforce. The missing checks make it possible for an attacker to create invalid objects by manipulating the bytes being read. The situation is analogous to the need to check objects deserialized from their Java serialized form within the {{readObject()}} method.



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)