[JBoss JIRA] (SRAMP-178) Trusting MIME type sent from clients is dangerous
by Randall Hauch (JIRA)
[ https://issues.jboss.org/browse/SRAMP-178?page=com.atlassian.jira.plugin.... ]
Randall Hauch commented on SRAMP-178:
-------------------------------------
The Tika project has pretty good MIME type detection. ModeShape 3 abandoned our custom approach and are now just using Tika.
> Trusting MIME type sent from clients is dangerous
> -------------------------------------------------
>
> Key: SRAMP-178
> URL: https://issues.jboss.org/browse/SRAMP-178
> Project: S-RAMP
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Client
> Affects Versions: 0.1.1
> Reporter: Lukas Krejci
> Assignee: Kurt Stam
> Fix For: 0.2.0 - Milestone 4
>
>
> While uploading artifact to the repository, the S-RAMP server completely trusts the client with the supplied mime type and uses it from thereafter.
> This also includes the time when the artifact is downloaded from S-RAMP server.
> This is quite dangerous, IMHO, because it gives the potential attackers the means for making certain types of files look like something they aren't. This could be a nice vector to exploiting vulnerabilities in applications that then open such files.
> For example, consider this command:
> curl -H 'Content-Type: image/png' -H 'Slug: wha.pkg' --data-binary @tmp.pdf 'http://localhost:8080/s-ramp-server/s-ramp/core/Document'
> This will create an artifact called "wha.pkg" in the repository, which will have the stored content type of "image/png" but the actual data will be a PDF.
> IMHO, the mime type detection should be purely a server-side affair ignoring any hints of mimetype sent in by the clients.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 9 months