Uploaded image for project: 'Tapestry 5'
  1. Tapestry 5
  2. TAP5-1988

Tapestry Security Violations

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 5.3, 5.4
    • 5.3.6, 5.4
    • tapestry-core

    Description

      An unsolicited security review arrived concerning Tapestry; both core code, and the GSoC project that provides anti-CSRF (cross-site forgery protection).

      Although I am dubious about the "gzip bombs" allegation, it can be addressed. In theory, because the contents are an object stream, the objects could be replaced. In practice, all objects need to implement a Tapestry-specific interface (ComponentAction) which means that arbitrary objects can not be injected; only objects that are already present on the classpath of the running application AND implement the ComponentAction interface could be injected. An attacker would already have "the keys to the kingdom" before they could do damage .. that is, if they can manipulate the classpath of the running application, they already have the ability to deploy any code, or access internal servers directly.

      However, I would see this as an opportunity to remove the t:state:client ("client" PersistentFieldStrategy implementation).

      Attachments

        Activity

          People

            hlship Howard Lewis Ship
            hlship Howard Lewis Ship
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: