« Previous | Next » 

Revision cd39af5d

IDcd39af5dddd1695b499ca038c5add38d46436e4c

Added by Andreas Förthner over 9 years ago

[SECURITY] Protect arguments of form __referrer with HMAC

The request arguments of the referring request are
a serialized string written to one of the hidden
fields in a Fluid form. This string has to be protected
by a HMAC to protect FLOW3 from possible unserialize
attacks.

Note: For now there is no object known within the FLOW3
Distribution, that could be used for an unserialize
exploit!

This change also backports some convenience hmac methods
to the hash service from the current master, to have the
bugfix in sync.

Change-Id: Ifeb87d0a85308f25cff2573a1ce2fc62dcd1e5fd
Security-Bulletin: FLOW3-SA-2012-001
Fixes: #35300
Releases: 1.0, 1.1

  • added
  • modified
  • copied
  • renamed
  • deleted