Tapestry 5
  1. Tapestry 5
  2. TAP5-111

Protect serialized object blobs from being tampered by external user

    Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 5.0.15
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Using ClientPersistentFieldStorage (t:state:client parameter) an external user can
      'inject' arbitary serialiable objects.
      An external user can inject for example a very big byte array consuming a lot of memory.

      One solution would be to add a keyed secure hash (HMAC to be precise) to the binary blob to Tapestry can detect that the blob has been tampered with. It be nice if the packing/unpacking (currently done by Base64ObjectInputStream) would be serviced (that is make it a service) so it would be easy to override this behaviour.

      Same applies to t:formdata although the impact is less because it only accepts objects implementing ComponentAction.

        Activity

        Martijn Brinkers created issue -
        Howard M. Lewis Ship made changes -
        Field Original Value New Value
        Fix Version/s 5.1 [ 12312964 ]
        Howard M. Lewis Ship made changes -
        Fix Version/s 5.1 [ 12312964 ]
        Issue Type Improvement [ 4 ] Bug [ 1 ]
        Affects Version/s 5.0.13 [ 12313205 ]
        Project Tapestry [ 10573 ] Tapestry 5 [ 12310833 ]
        Key TAPESTRY-2482 TAP5-111
        Component/s Core Components [ 12311677 ]
        Howard M. Lewis Ship made changes -
        Affects Version/s 5.0.15 [ 12313429 ]
        Howard M. Lewis Ship made changes -
        Issue Type Bug [ 1 ] New Feature [ 2 ]
        Massimo Lusetti made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Fix Version/s 5.3 [ 12316024 ]
        Resolution Won't Fix [ 2 ]
        Howard M. Lewis Ship made changes -
        Resolution Won't Fix [ 2 ]
        Status Closed [ 6 ] Reopened [ 4 ]
        Assignee Howard M. Lewis Ship [ hlship ]
        Howard M. Lewis Ship made changes -
        Fix Version/s 5.3 [ 12316024 ]
        Howard M. Lewis Ship made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Resolution Unresolved [ 9 ]

          People

          • Assignee:
            Howard M. Lewis Ship
            Reporter:
            Martijn Brinkers
          • Votes:
            2 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development