click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adrian A. (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CLK-174) Security improvement of HiddenField
Date Sat, 02 Nov 2013 15:32:18 GMT

     [ https://issues.apache.org/jira/browse/CLK-174?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Adrian A. updated CLK-174:
--------------------------

    Fix Version/s: 3.0.0

> Security improvement of HiddenField
> -----------------------------------
>
>                 Key: CLK-174
>                 URL: https://issues.apache.org/jira/browse/CLK-174
>             Project: Click
>          Issue Type: Improvement
>          Components: core
>            Reporter: Sadanori Ito
>            Assignee: Malcolm Edgar
>             Fix For: 3.0.0
>
>         Attachments: ASF.LICENSE.NOT.GRANTED--hiddenfield-security-patch.txt
>
>
> I'm not security professional, but I think that the HiddenField has
> a security problem. When Serializable non-primitive objects is rendered,
> we can decode the hidden value and edit the serialized data using binary editor.
> This patch is not the perfect solution, but will be better option.
> Known issues in this patch:
> * Using a session to store the cryptographic key.
>   -> When the session does time-out, the hidden value can't be decrypted.
> * Default flag (not secure, for compatibility ?)
> * Performance
> Reference:
> "Security in Object Serialization"
>   http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/security.html#2527
> "A.8 Encrypting a Bytestream"
>   http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/security.html#4346



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message