chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller (JIRA) <>
Subject [jira] [Commented] (CMIS-1001) Parse Content-MD5 Mime Header and use it for validation if present
Date Mon, 17 Oct 2016 07:09:58 GMT


Florian Müller commented on CMIS-1001:

Your patch only covers the createDocument and the checkIn operations of the Browser Binding.
In both cases, the stream is embedded in a multipart message. If a stream gets really corrupted,
the multipart message cannot be parsed and OpenCMIS rejects the call anyway. Your patch only
protects the server from small corruptions that only happen when the content part is transferred.

Additionally, the Content-MD5 header is Base64 encoded, not Hex encoded. (see RFC 1864)

> Parse Content-MD5 Mime Header and use it for validation if present
> ------------------------------------------------------------------
>                 Key: CMIS-1001
>                 URL:
>             Project: Chemistry
>          Issue Type: Improvement
>          Components: opencmis-server
>    Affects Versions: OpenCMIS 1.0.0
>            Reporter: Ron Gavlin
>            Priority: Minor
> Sometimes content streams get corrupted over the wire. Content stream hashes are often
used to protect against these corruptions.
> Apache Chemistry OpenCMIS should validate contentStream input to AtomPub and Browser
Binding CMIS operations, including setContentStream, appendContentStream, checkIn, and createDocument,
by comparing the content stream MD5 hash against a Content-MD5 MIME header if present. A CMIS
invalidArgument exception should be thrown if the hashes are not equal.

This message was sent by Atlassian JIRA

View raw message