]
Eric Wittmann commented on SRAMP-178:
-------------------------------------
This has been resolved, yes?
Trusting MIME type sent from clients is dangerous
-------------------------------------------------
Key: SRAMP-178
URL:
https://issues.jboss.org/browse/SRAMP-178
Project: S-RAMP
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Client
Affects Versions: 0.1.1
Reporter: Lukas Krejci
Assignee: Kurt Stam
Fix For: 0.2.0 - Milestone 4
While uploading artifact to the repository, the S-RAMP server completely trusts the
client with the supplied mime type and uses it from thereafter.
This also includes the time when the artifact is downloaded from S-RAMP server.
This is quite dangerous, IMHO, because it gives the potential attackers the means for
making certain types of files look like something they aren't. This could be a nice
vector to exploiting vulnerabilities in applications that then open such files.
For example, consider this command:
curl -H 'Content-Type: image/png' -H 'Slug: wha.pkg' --data-binary
@tmp.pdf 'http://localhost:8080/s-ramp-server/s-ramp/core/Document'
This will create an artifact called "wha.pkg" in the repository, which will
have the stored content type of "image/png" but the actual data will be a PDF.
IMHO, the mime type detection should be purely a server-side affair ignoring any hints of
mimetype sent in by the clients.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: