Click
  1. Click
  2. CLK-174

Security improvement of HiddenField

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 3.0.0
    • Component/s: core
    • Labels:
      None

      Description

      I'm not security professional, but I think that the HiddenField has
      a security problem. When Serializable non-primitive objects is rendered,
      we can decode the hidden value and edit the serialized data using binary editor.

      This patch is not the perfect solution, but will be better option.

      Known issues in this patch:

      • Using a session to store the cryptographic key.
        -> When the session does time-out, the hidden value can't be decrypted.
      • Default flag (not secure, for compatibility ?)
      • Performance

      Reference:

      "Security in Object Serialization"
      http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/security.html#2527
      "A.8 Encrypting a Bytestream"
      http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/security.html#4346

        Activity

        Sadanori Ito created issue -
        Sadanori Ito made changes -
        Field Original Value New Value
        Attachment hiddenfield-security-patch.txt [ 10206 ]
        Henri Yandell made changes -
        Project Import Fri Mar 20 14:11:32 PDT 2009 [ 1237583492744 ]
        Adrian A. made changes -
        Fix Version/s 3.0.0 [ 12315124 ]

          People

          • Assignee:
            Malcolm Edgar
            Reporter:
            Sadanori Ito
          • Votes:
            2 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Development