Tapestry 5
  1. Tapestry 5
  2. TAP5-111

Protect serialized object blobs from being tampered by external user

    Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 5.0.15
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Using ClientPersistentFieldStorage (t:state:client parameter) an external user can
      'inject' arbitary serialiable objects.
      An external user can inject for example a very big byte array consuming a lot of memory.

      One solution would be to add a keyed secure hash (HMAC to be precise) to the binary blob to Tapestry can detect that the blob has been tampered with. It be nice if the packing/unpacking (currently done by Base64ObjectInputStream) would be serviced (that is make it a service) so it would be easy to override this behaviour.

      Same applies to t:formdata although the impact is less because it only accepts objects implementing ComponentAction.

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Howard M. Lewis Ship
            Reporter:
            Martijn Brinkers
          • Votes:
            2 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development