Ron Gavlin commented on CMIS-1001:

Our experience with minor corruptions that occur during content part transfer 
motivated this patch. In our case, we use multipart/form-data encoding for all 
4 content-related actions including setContent and appendContent. For 
multipart/form-data Message Integrity Checking, it seems reasonable to me to 
perform this validation in the MultipartParser. Of course, 
validation-enablement could be made configurable. Also, if you do not want hash 
validation in the Framework, would you consider simply parsing the Mime Header 
in the MultipartParser as done in the current patch and exposing the Header to 
Framework consumers as a getter in say the POSTHttpServletRequestWrapper?

Yes, I concur that the header should be Base64 encoded per RFC 1864. I can 
correct in a revised patch.

Let me know how you would like me to proceed.

> Parse Content-MD5 Mime Header and use it for validation if present
> ------------------------------------------------------------------
>                 Key: CMIS-1001
>                 URL: https://issues.apache.org/jira/browse/CMIS-1001
>             Project: Chemistry
>          Issue Type: Improvement
>          Components: opencmis-server
>    Affects Versions: OpenCMIS 1.0.0
>            Reporter: Ron Gavlin
>            Priority: Minor
> Sometimes content streams get corrupted over the wire. Content stream hashes 
> are often used to protect against these corruptions.
> Apache Chemistry OpenCMIS should validate contentStream input to AtomPub and 
> Browser Binding CMIS operations, including setContentStream, 
> appendContentStream, checkIn, and createDocument, by comparing the content 
> stream MD5 hash against a Content-MD5 MIME header if present. A CMIS 
> invalidArgument exception should be thrown if the hashes are not equal.

This message was sent by Atlassian JIRA

Reply via email to