Tapestry 5
  1. Tapestry 5
  2. TAP5-111

Protect serialized object blobs from being tampered by external user

        Details

        • Type: New Feature New Feature
        • Status: Resolved
        • Priority: Major Major
        • Resolution: Unresolved
        • Affects Version/s: 5.0.15
        • Fix Version/s: None
        • Component/s: None
        • Labels:
          None

          Description

          Using ClientPersistentFieldStorage (t:state:client parameter) an external user can
          'inject' arbitary serialiable objects.
          An external user can inject for example a very big byte array consuming a lot of memory.

          One solution would be to add a keyed secure hash (HMAC to be precise) to the binary blob to Tapestry can detect that the blob has been tampered with. It be nice if the packing/unpacking (currently done by Base64ObjectInputStream) would be serviced (that is make it a service) so it would be easy to override this behaviour.

          Same applies to t:formdata although the impact is less because it only accepts objects implementing ComponentAction.

            Activity

            No work has yet been logged on this issue.

              People

              • Assignee:
                Howard M. Lewis Ship
                Reporter:
                Martijn Brinkers
              • Votes:
                2 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development