Details
-
New Feature
-
Status: Resolved
-
Major
-
Resolution: Abandoned
-
5.0.15
-
None
-
None
-
None
Description
Using ClientPersistentFieldStorage (t:state:client parameter) an external user can
'inject' arbitary serialiable objects.
An external user can inject for example a very big byte array consuming a lot of memory.
One solution would be to add a keyed secure hash (HMAC to be precise) to the binary blob to Tapestry can detect that the blob has been tampered with. It be nice if the packing/unpacking (currently done by Base64ObjectInputStream) would be serviced (that is make it a service) so it would be easy to override this behaviour.
Same applies to t:formdata although the impact is less because it only accepts objects implementing ComponentAction.