Details
-
Type:
New Feature
-
Status: Resolved
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 5.0.15
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
Description
Using ClientPersistentFieldStorage (t:state:client parameter) an external user can
'inject' arbitary serialiable objects.
An external user can inject for example a very big byte array consuming a lot of memory.
One solution would be to add a keyed secure hash (HMAC to be precise) to the binary blob to Tapestry can detect that the blob has been tampered with. It be nice if the packing/unpacking (currently done by Base64ObjectInputStream) would be serviced (that is make it a service) so it would be easy to override this behaviour.
Same applies to t:formdata although the impact is less because it only accepts objects implementing ComponentAction.