axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sridhar Dabbeeru <sridhar.dabbe...@gmail.com>
Subject Re: Filtering MTOM attachments based on disposition file name and content type
Date Fri, 10 Jun 2011 01:50:08 GMT
I understand your point. All we are trying to do is satisfy some security
audit black list, white list requirement. We just want accept the configured
file extensions not everything.

So,If can't get the file name through part content disposition then what
would you recommend? Because, SOAP request can have multiple attachments and
each attachment could have different file extensions and content-type.

Thanks,
Sridhar

On Thu, Jun 9, 2011 at 2:30 PM, Andreas Veithen
<andreas.veithen@gmail.com>wrote:

> There is indeed no API to get access to the Content-Disposition
> header. There is a reason for this: MTOM actually defines an
> equivalency between plain SOAP messages and MIME messages, but the
> specification doesn't attach any meaning to the Content-Disposition
> MIME header. That means that when constructing the equivalent plain
> SOAP message for a given MTOM message, the values of the
> Content-Disposition headers are lost. That has several implications:
>
> * The sender is not required to add Content-Disposition headers, and
> if it does, then the MTOM specs don't make any statement how they
> should be set.
> * The receiver is not expected to use the Content-Disposition headers
> in any way.
> * An intermediary (such as an ESB) may choose to remove the
> Content-Disposition headers.
>
> Note that this also means that the requirement to filter MIME parts of
> an MTOM message based on Content-Disposition makes very little sense.
> This wouldn't improve security in any way because an attacker can set
> the Content-Disposition header to any value he wants, given that the
> receiver is not expected to use that value.
>
> Andreas
>
> On Thu, Jun 9, 2011 at 17:15, Sridhar Dabbeeru
> <sridhar.dabbeeru@gmail.com> wrote:
> > Swapna,
> > Sure, I can write the module but when you say axis api what exactly you
> > are referring to? We are on Aixs 2 (1.4) version and
> > our org.apache.axiom.attachments.Attachments version doesn't even look
> into
> > the "Content-Disposition: attachment; name=", at least I don't see
> > anywhere. Are you referring to any other API.
> > ------=_Part_0_9514768.1307555652068
> > Content-Type: application/octet-stream
> > Content-Transfer-Encoding: binary
> > Content-ID: <1038418065145>
> > Content-Disposition: attachment; name="DSC07685.JPG"
> > I have another question, if we intercept the attachment request in this
> > module won't it already consume the stream that's been attached. I want
> this
> > module just act like a filter and on bad request throw a fault back.
> Actual
> > handling attachment should go through the actual service implementation.
> > Thanks,
> > Sridhar
> >
> > On Thu, Jun 9, 2011 at 1:48 AM, swapna soni <ssoni@nisum.com> wrote:
> >>
> >> Hi Sridhar,
> >>
> >>
> >>
> >>   You can create a custom module and engage it in your service or client
> >> program. In this module u can get the attachment of you request
> /response
> >> using axis2 api and you can get the file name as well.
> >>
> >>
> >>
> >> Thanks,
> >>
> >> Swapna Soni.
> >>
> >>
> >>
> >> From: Sridhar Dabbeeru [mailto:sridhar.dabbeeru@gmail.com]
> >> Sent: Wednesday, June 08, 2011 11:14 PM
> >> To: java-dev@axis.apache.org
> >> Subject: Filtering MTOM attachments based on disposition file name and
> >> content type
> >>
> >>
> >>
> >> Hi,
> >> I have a requirement to apply a security filter on MTOM attachments
> based
> >> on configured of content type and file name extension. For example file
> name
> >> with ".mp3" shouldn't be allowed for uploading or
> >> content image/png shouldn't be allowed.
> >>
> >> I see in my soap request Content-Disposition: attachment; name="xyz.tif"
> >> but the file name is not being parsed in axis2. I was expecting the name
> in
> >> my DataHandler but that turned out to be stream name. Datahandler does
> give
> >> me handle for the correct content type. The only missing link is file
> name.
> >>
> >> I am wondering does axis2 parses disposition file name at all?
> >>
> >> Can any one  help me to resolve this.
> >>
> >>
> >> Thanks,
> >> Sridhar
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-dev-help@axis.apache.org
>
>

Mime
View raw message