tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martijn Brinkers (JIRA)" <...@tapestry.apache.org>
Subject [jira] Commented: (TAPESTRY-2482) Protect serialized object blobs from being tampered by external user
Date Thu, 14 Aug 2008 19:47:45 GMT

    [ https://issues.apache.org/jira/browse/TAPESTRY-2482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12622659#action_12622659

Martijn Brinkers commented on TAPESTRY-2482:

My solution for this can be found at http://wiki.apache.org/tapestry/Tapestry5PreventClientSideChanges

> Protect serialized object blobs from being tampered by external user
> --------------------------------------------------------------------
>                 Key: TAPESTRY-2482
>                 URL: https://issues.apache.org/jira/browse/TAPESTRY-2482
>             Project: Tapestry
>          Issue Type: Improvement
>          Components: Core Components
>    Affects Versions: 5.0.13
>            Reporter: Martijn Brinkers
> Using ClientPersistentFieldStorage (t:state:client parameter) an external user can
> 'inject' arbitary serialiable objects.
> An external user can inject for example a very big byte array consuming a lot of memory.

> One solution would be to add a keyed secure hash (HMAC to be precise) to the binary blob
to Tapestry can detect that the blob has been tampered with. It be nice if the packing/unpacking
(currently done by Base64ObjectInputStream) would be serviced (that is make it a service)
so it would be easy to override this behaviour. 
> Same applies to t:formdata although the impact is less because it only accepts objects
implementing ComponentAction.   

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

View raw message