Return-Path: 
 <axis-dev-return-18874-apmail-xml-axis-dev-archive=xml.apache.org@xml.apache.org>
Delivered-To: apmail-xml-axis-dev-archive@xml.apache.org
Received: (qmail 6771 invoked by uid 500); 30 Jan 2003 22:24:42 -0000
Mailing-List: contact axis-dev-help@xml.apache.org; run by ezmlm
Precedence: bulk
Reply-To: axis-dev@xml.apache.org
list-help: <mailto:axis-dev-help@xml.apache.org>
list-unsubscribe: <mailto:axis-dev-unsubscribe@xml.apache.org>
list-post: <mailto:axis-dev@xml.apache.org>
Delivered-To: mailing list axis-dev@xml.apache.org
Received: (qmail 6756 invoked from network); 30 Jan 2003 22:24:42 -0000
Message-ID: <3E39A62F.40409@genome.wi.mit.edu>
Date: Thu, 30 Jan 2003 17:24:47 -0500
From: Jim Lerner <jlerner@genome.wi.mit.edu>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US;
 rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: axis-dev@xml.apache.org
Subject: Re: Axis attachment naming enhancement (code attached)
References: 
 <OF6123A1D9.1AD74E4D-ON88256CBE.0076E0F6-88256CBE.0077508E@us.ibm.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Since Axis is already willing to hand me the file (on the server or the 
client) with a name like "/tmp/Axis56789axis", I am able to do with it 
what I will.  That means that if I wanted to rename it and possibly 
execute it, I could.  What difference does it make to Axis or system 
security if the original filename/extension are preserved?  The danger 
is no greater.  It seems to me that security has to be implemented for 
any Axis service that cares about it, but that obfuscating the filename 
does not serve that purpose.

- Jim



James M Snell wrote:

>I would think that allowing the client to control the naming of the files 
>saved on the server would constitute a security risk on the server.  If 
>the attachment contains a malicious executable, then Axis would be 
>unwittingly allowing the code to be saved to the server in a form that 
>would allow it to be easily executed (e.g. tempfilename.exe).  While I 
>recognize the benefits that something like this would allow, I do not 
>believe that this is the right solution.
>
>- James Snell
>     IBM Emerging Technologies
>     jasnell@us.ibm.com
>     (559) 587-1233 (office)
>     (700) 544-9035 (t/l)
>     Programming Web Services With SOAP
>         O'Reilly & Associates, ISBN 0596000952
>
>     Have I not commanded you? Be strong and courageous. 
>     Do not be terrified, do not be discouraged, for the Lord your 
>     God will be with you whereever you go.    - Joshua 1:9
>
>
>
>Jim Lerner <jlerner@genome.wi.mit.edu>
>01/30/2003 12:10 PM
>Please respond to axis-dev
>
>
>To
>axis-dev@xml.apache.org
>cc
>
>bcc
>
>Subject
>Axis attachment naming enhancement (code attached)
>
>
>
>
>
>I am submitting for your approval (and integration) changes to
>Axis-1_1beta that allows Axis to create unique names for file
>attachments that bear a passing resemblance to the original filename.
>This is critical for applications that use the filename [extension] for
>disambiguation, and also in the case of multiple attachments on a single
>message.  It's my understanding that there are a number of Axis users
>out there who have suffered for lack of a solution to this problem.
>
>The premise is simple: add a MIME header to each attachment with the
>original filename.  When the file is sent to Axis, Axis'
>ManagedMemoryDataSource will use this name to create a uniquely named
>temporary file (eg. Axis98765_myfile.xls) rather than the usual
>(Axis98765axis).  Likewise, when Axis receives a file to be sent back to
>the caller, a MIME header on the attachment indicates the original name
>(Axis98765_myfile.xls).  This is not quite optimal, but it is easy
>enough for the client to parse and use, given that the underscore is
>guaranteed to be the first one in the filename.  Existing applications
>that don't set the MIME header will continue to see the previous file
>naming behavior.
>
>The changes that I've made (in the attached files) are as follows:
>
>org/apache/axis/transport/http/HTTPConstants:
>added HEADER_X_ORIGINAL_FILENAME for new MIME header
>
>org/apache/axis/attachments/AttachmentPart:
>setMimeHeader(DataSource's getName()) when creating an attachment part
>from a DataHandler and
>when setting a DataHandler for an existing AttachmentPart.
>
>org/apache/axis/attachments/MultiPartRelatedInputStream:
>inform ManagedMemoryDataSource of the X_ORIGINAL_FILENAME MIME heading.
>
>org/apache/axis/attachments/ManagedMemoryDataSource:
>added new constructor with extra parameter for original name (other
>constructors use this(..., null))
>added storage for the original filename
>use the original name when constructing the temporary file into which
>the in-memory file is flushed.
>
>Please let me know if you need any further clarification, any of this
>needs to be reworked, etc.  I'm hoping that you'll find this to be
>useful, correct, and worth integrating into the CVS repository.
>
>- Jim
>
>
>
>
>
>
>
>  
>