[
https://issues.apache.org/jira/browse/CMIS-1001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15581453#comment-15581453
]
Florian Müller commented on CMIS-1001:
--------------------------------------
Your patch only covers the createDocument and the checkIn operations of the
Browser Binding. In both cases, the stream is embedded in a multipart message.
If a stream gets really corrupted, the multipart message cannot be parsed and
OpenCMIS rejects the call anyway. Your patch only protects the server from
small corruptions that only happen when the content part is transferred.
Additionally, the Content-MD5 header is Base64 encoded, not Hex encoded. (see
RFC 1864)
> Parse Content-MD5 Mime Header and use it for validation if present
> ------------------------------------------------------------------
>
> Key: CMIS-1001
> URL: https://issues.apache.org/jira/browse/CMIS-1001
> Project: Chemistry
> Issue Type: Improvement
> Components: opencmis-server
> Affects Versions: OpenCMIS 1.0.0
> Reporter: Ron Gavlin
> Priority: Minor
>
> Sometimes content streams get corrupted over the wire. Content stream hashes
> are often used to protect against these corruptions.
> Apache Chemistry OpenCMIS should validate contentStream input to AtomPub and
> Browser Binding CMIS operations, including setContentStream,
> appendContentStream, checkIn, and createDocument, by comparing the content
> stream MD5 hash against a Content-MD5 MIME header if present. A CMIS
> invalidArgument exception should be thrown if the hashes are not equal.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
