Uploaded image for project: 'Tapestry 5'
  1. Tapestry 5
  2. TAP5-111

Protect serialized object blobs from being tampered by external user

          Details

          • Type: New Feature
          • Status: Resolved
          • Priority: Major
          • Resolution: Unresolved
          • Affects Version/s: 5.0.15
          • Fix Version/s: None
          • Component/s: None
          • Labels:
            None

            Description

            Using ClientPersistentFieldStorage (t:state:client parameter) an external user can
            'inject' arbitary serialiable objects.
            An external user can inject for example a very big byte array consuming a lot of memory.

            One solution would be to add a keyed secure hash (HMAC to be precise) to the binary blob to Tapestry can detect that the blob has been tampered with. It be nice if the packing/unpacking (currently done by Base64ObjectInputStream) would be serviced (that is make it a service) so it would be easy to override this behaviour.

            Same applies to t:formdata although the impact is less because it only accepts objects implementing ComponentAction.

              Attachments

                Activity

                  People

                  • Assignee:
                    hlship Howard M. Lewis Ship
                    Reporter:
                    martijn_brinkers Martijn Brinkers
                  • Votes:
                    2 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: