[
https://issues.apache.org/jira/browse/TAP5-2008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16710032#comment-16710032
]
Mahendran commented on TAP5-2008:
---------------------------------
Yes you are right. We cannot directly plugin the code in 4.x. But the security
issue fixed is required for Tapestry 4.0.2. Instead of upgrading to latest
version will solve the problem, applying patch in legacy version required only
minimal changes I hope.
> Serialized object data stored on the client should be HMAC signed and
> validated
> -------------------------------------------------------------------------------
>
> Key: TAP5-2008
> URL: https://issues.apache.org/jira/browse/TAP5-2008
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.3.5, 5.4
> Reporter: Howard M. Lewis Ship
> Assignee: Howard M. Lewis Ship
> Priority: Major
> Labels: fixed-in-5.4-js-rewrite, security
> Fix For: 5.3.6, 5.4
>
>
> Tapestry encodes serialized objects into Base64 encoded strings that are
> stored on the client; primarily, this is for form submissions, to encode the
> set of operations needed to process the form when it is submitted.
> However, Tapestry does not use any form of validation to ensure that the
> encoded data has not been tampered with. It is relatively easy to create a
> DOS attack by exploiting this.
> Tapestry should use some form of HMAC (hash-based message authentication) to
> ensure that the contents of such data are valid; the signing and validation
> should occur after writing GZipped content, and before GZip decoding (it is
> very easy to provide a small gzipped payload that expands to an enormous
> size, for example; this is one form of DOS).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
