[jira] [Commented] (CMIS-1001) Parse Content-MD5 Mime Header and use it for validation if present
[ https://issues.apache.org/jira/browse/CMIS-1001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15584194#comment-15584194 ] Ron Gavlin commented on CMIS-1001: -- Per Florent's suggestion, I will address this issue by implementing support for RFC 3230 HTTP Digest Header verification in the server. This is preferred since Mime Header verification only supports multipart/form-data MIC and provides no solution for application/x-www-form-urlencoded MIC. > Parse Content-MD5 Mime Header and use it for validation if present > -- > > Key: CMIS-1001 > URL: https://issues.apache.org/jira/browse/CMIS-1001 > Project: Chemistry > Issue Type: Improvement > Components: opencmis-server >Affects Versions: OpenCMIS 1.0.0 >Reporter: Ron Gavlin >Priority: Minor > > Sometimes content streams get corrupted over the wire. Content stream hashes > are often used to protect against these corruptions. > Apache Chemistry OpenCMIS should validate contentStream input to AtomPub and > Browser Binding CMIS operations, including setContentStream, > appendContentStream, checkIn, and createDocument, by comparing the content > stream MD5 hash against a Content-MD5 MIME header if present. A CMIS > invalidArgument exception should be thrown if the hashes are not equal. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CMIS-1001) Parse Content-MD5 Mime Header and use it for validation if present
[
https://issues.apache.org/jira/browse/CMIS-1001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15581915#comment-15581915
]
Florent Guillaume commented on CMIS-1001:
-
The patch also only deal with MD5 while the more recent {{Digest}} header
defined by RFC 3230 allows the use of SHA-1 (and SHA-256 and SHA-512 through
RFC 5843). It would be a shame to not take it into account.
> Parse Content-MD5 Mime Header and use it for validation if present
> --
>
> Key: CMIS-1001
> URL: https://issues.apache.org/jira/browse/CMIS-1001
> Project: Chemistry
> Issue Type: Improvement
> Components: opencmis-server
>Affects Versions: OpenCMIS 1.0.0
>Reporter: Ron Gavlin
>Priority: Minor
>
> Sometimes content streams get corrupted over the wire. Content stream hashes
> are often used to protect against these corruptions.
> Apache Chemistry OpenCMIS should validate contentStream input to AtomPub and
> Browser Binding CMIS operations, including setContentStream,
> appendContentStream, checkIn, and createDocument, by comparing the content
> stream MD5 hash against a Content-MD5 MIME header if present. A CMIS
> invalidArgument exception should be thrown if the hashes are not equal.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (CMIS-1001) Parse Content-MD5 Mime Header and use it for validation if present
[ https://issues.apache.org/jira/browse/CMIS-1001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15581453#comment-15581453 ] Florian Müller commented on CMIS-1001: -- Your patch only covers the createDocument and the checkIn operations of the Browser Binding. In both cases, the stream is embedded in a multipart message. If a stream gets really corrupted, the multipart message cannot be parsed and OpenCMIS rejects the call anyway. Your patch only protects the server from small corruptions that only happen when the content part is transferred. Additionally, the Content-MD5 header is Base64 encoded, not Hex encoded. (see RFC 1864) > Parse Content-MD5 Mime Header and use it for validation if present > -- > > Key: CMIS-1001 > URL: https://issues.apache.org/jira/browse/CMIS-1001 > Project: Chemistry > Issue Type: Improvement > Components: opencmis-server >Affects Versions: OpenCMIS 1.0.0 >Reporter: Ron Gavlin >Priority: Minor > > Sometimes content streams get corrupted over the wire. Content stream hashes > are often used to protect against these corruptions. > Apache Chemistry OpenCMIS should validate contentStream input to AtomPub and > Browser Binding CMIS operations, including setContentStream, > appendContentStream, checkIn, and createDocument, by comparing the content > stream MD5 hash against a Content-MD5 MIME header if present. A CMIS > invalidArgument exception should be thrown if the hashes are not equal. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CMIS-1001) Parse Content-MD5 Mime Header and use it for validation if present
[ https://issues.apache.org/jira/browse/CMIS-1001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15581098#comment-15581098 ] Ron Gavlin commented on CMIS-1001: -- The proposed patch is available as PR: https://github.com/apache/chemistry-opencmis/pull/9. Please review and provide feedback. Thanks, Ron > Parse Content-MD5 Mime Header and use it for validation if present > -- > > Key: CMIS-1001 > URL: https://issues.apache.org/jira/browse/CMIS-1001 > Project: Chemistry > Issue Type: Improvement > Components: opencmis-server >Affects Versions: OpenCMIS 1.0.0 >Reporter: Ron Gavlin >Priority: Minor > > Sometimes content streams get corrupted over the wire. Content stream hashes > are often used to protect against these corruptions. > Apache Chemistry OpenCMIS should validate contentStream input to AtomPub and > Browser Binding CMIS operations, including setContentStream, > appendContentStream, checkIn, and createDocument, by comparing the content > stream MD5 hash against a Content-MD5 MIME header if present. A CMIS > invalidArgument exception should be thrown if the hashes are not equal. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CMIS-1001) Parse Content-MD5 Mime Header and use it for validation if present
[ https://issues.apache.org/jira/browse/CMIS-1001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15579833#comment-15579833 ] Florian Müller commented on CMIS-1001: -- That is impossible for some operations. For example, setContentStream hands over the stream to the server implementation without reading it first. Therefore, the framework cannot compute the MD5 hash and throw an exception. The server implementation, on the other hand, can do it because it knows how to rollback any changes if it encounters a hash mismatch at the end of the stream. > Parse Content-MD5 Mime Header and use it for validation if present > -- > > Key: CMIS-1001 > URL: https://issues.apache.org/jira/browse/CMIS-1001 > Project: Chemistry > Issue Type: Improvement > Components: opencmis-server >Affects Versions: OpenCMIS 1.0.0 >Reporter: Ron Gavlin >Priority: Minor > > Sometimes content streams get corrupted over the wire. Content stream hashes > are often used to protect against these corruptions. > Apache Chemistry OpenCMIS should validate contentStream input to AtomPub and > Browser Binding CMIS operations, including setContentStream, > appendContentStream, checkIn, and createDocument, by comparing the content > stream MD5 hash against a Content-MD5 MIME header if present. A CMIS > invalidArgument exception should be thrown if the hashes are not equal. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
