« Previous | Next » 

Revision cd39af5d


Added by Andreas Förthner over 9 years ago

[SECURITY] Protect arguments of form __referrer with HMAC

The request arguments of the referring request are
a serialized string written to one of the hidden
fields in a Fluid form. This string has to be protected
by a HMAC to protect FLOW3 from possible unserialize

Note: For now there is no object known within the FLOW3
Distribution, that could be used for an unserialize

This change also backports some convenience hmac methods
to the hash service from the current master, to have the
bugfix in sync.

Change-Id: Ifeb87d0a85308f25cff2573a1ce2fc62dcd1e5fd
Security-Bulletin: FLOW3-SA-2012-001
Fixes: #35300
Releases: 1.0, 1.1

  • added
  • modified
  • copied
  • renamed
  • deleted