[jira] [Commented] (TAP5-2008) Serialized object data stored on the client should be HMAC signed and validated

Sat, 15 Dec 2012 17:46:18 -0800 

    [ 
https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13533247#comment-13533247
 ] 

Hudson commented on TAP5-2008:
------------------------------

Integrated in tapestry-trunk-freestyle #977 (See 
[https://builds.apache.org/job/tapestry-trunk-freestyle/977/])
    TAP5-2008: Implement HMAC signatures on object streams stored on the client 
(Revision 95846b173d83c2eb42db75dae3e7d5e13a633946)

     Result = FAILURE
hlship : 
Files : 
* 
tapestry-core/src/main/java/org/apache/tapestry5/internal/util/TeeOutputStream.java
* 
tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ClientDataSinkImpl.java
* tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
* 
tapestry-core/src/main/java/org/apache/tapestry5/services/ClientDataEncoder.java
* 
tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
* tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
* 
tapestry-core/src/main/java/org/apache/tapestry5/internal/util/MacOutputStream.java
* 
tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ClientDataEncoderImpl.java
* 
tapestry-core/src/test/groovy/org/apache/tapestry5/internal/services/ClientDataEncoderImplTest.groovy

                
> Serialized object data stored on the client should be HMAC signed and 
> validated
> -------------------------------------------------------------------------------
>
>                 Key: TAP5-2008
>                 URL: https://issues.apache.org/jira/browse/TAP5-2008
>             Project: Tapestry 5
>          Issue Type: Bug
>          Components: tapestry-core
>    Affects Versions: 5.3.5, 5.4
>            Reporter: Howard M. Lewis Ship
>            Assignee: Howard M. Lewis Ship
>              Labels: fixed-in-5.4-js-rewrite, security
>             Fix For: 5.3.6, 5.4
>
>
> Tapestry encodes serialized objects into Base64 encoded strings that are 
> stored on the client; primarily, this is for form submissions, to encode the 
> set of operations needed to process the form when it is submitted.
> However, Tapestry does not use any form of validation to ensure that the 
> encoded data has not been tampered with.  It is relatively easy to create a 
> DOS attack by exploiting this.
> Tapestry should use some form of HMAC (hash-based message authentication) to 
> ensure that the contents of such data are valid; the signing and validation 
> should occur after writing GZipped content, and before GZip decoding (it is 
> very easy to provide a small gzipped payload that expands to an enormous 
> size, for example; this is one form of DOS).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to