Uploaded image for project: 'Click'
  1. Click
  2. CLK-174

Security improvement of HiddenField

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 3.0.0
    • Component/s: core
    • Labels:
      None

      Description

      I'm not security professional, but I think that the HiddenField has
      a security problem. When Serializable non-primitive objects is rendered,
      we can decode the hidden value and edit the serialized data using binary editor.

      This patch is not the perfect solution, but will be better option.

      Known issues in this patch:

      • Using a session to store the cryptographic key.
        -> When the session does time-out, the hidden value can't be decrypted.
      • Default flag (not secure, for compatibility ?)
      • Performance

      Reference:

      "Security in Object Serialization"
      http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/security.html#2527
      "A.8 Encrypting a Bytestream"
      http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/security.html#4346

        Attachments

          Activity

            People

            • Assignee:
              medgar Malcolm Edgar
              Reporter:
              sadanori Sadanori Ito
            • Votes:
              2 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated: