[ACCUMULO-1986] Validity checks missing for readFields and Thrift deserialization - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.4.5, 1.5.1, 1.6.0
Component/s: None
Labels:

Description

Classes in o.a.a.core.data (and potentially elsewhere) that support construction from a Thrift object and/or population from a DataInput (via a readFields() method) often lack data validity checks that the classes' constructors enforce. The missing checks make it possible for an attacker to create invalid objects by manipulating the bytes being read. The situation is analogous to the need to check objects deserialized from their Java serialized form within the readObject() method.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

examined-classes.txt
12/Dec/13 20:09
0.8 kB
Bill Havanki
ACCUMULO-1986.patch
16/Dec/13 17:29
14 kB
Bill Havanki

Issue Links

links to

Review / patch

Activity

People

Assignee:: Bill Havanki

Reporter:: Bill Havanki

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 09/Dec/13 15:51

Updated:: 18/Dec/13 14:54

Resolved:: 18/Dec/13 14:54