[ https://issues.apache.org/jira/browse/TAP5-111?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Massimo Lusetti closed TAP5-111. -------------------------------- Resolution: Won't Fix Fix Version/s: 5.3 Please open a new one for 5.3 if this still applicable > Protect serialized object blobs from being tampered by external user > -------------------------------------------------------------------- > > Key: TAP5-111 > URL: https://issues.apache.org/jira/browse/TAP5-111 > Project: Tapestry 5 > Issue Type: New Feature > Affects Versions: 5.0.15 > Reporter: Martijn Brinkers > Fix For: 5.3 > > > Using ClientPersistentFieldStorage (t:state:client parameter) an external > user can > 'inject' arbitary serialiable objects. > An external user can inject for example a very big byte array consuming a lot > of memory. > One solution would be to add a keyed secure hash (HMAC to be precise) to the > binary blob to Tapestry can detect that the blob has been tampered with. It > be nice if the packing/unpacking (currently done by Base64ObjectInputStream) > would be serviced (that is make it a service) so it would be easy to override > this behaviour. > Same applies to t:formdata although the impact is less because it only > accepts objects implementing ComponentAction. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira