[CLK-174] Security improvement of HiddenField - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: 3.0.0
Component/s: core
Labels:
None

Description

I'm not security professional, but I think that the HiddenField has
a security problem. When Serializable non-primitive objects is rendered,
we can decode the hidden value and edit the serialized data using binary editor.

This patch is not the perfect solution, but will be better option.

Known issues in this patch:

Using a session to store the cryptographic key.
-> When the session does time-out, the hidden value can't be decrypted.
Default flag (not secure, for compatibility ?)
Performance

Reference:

"Security in Object Serialization"
http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/security.html#2527
"A.8 Encrypting a Bytestream"
http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/security.html#4346

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ASF.LICENSE.NOT.GRANTED--hiddenfield-security-patch.txt
29/Jan/07 13:08
13 kB
Sadanori Ito

Activity

People

Assignee:: Malcolm Edgar

Reporter:: Sadanori Ito

Votes:: 2 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 29/Jan/07 13:07

Updated:: 02/Nov/13 15:31