chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ron Gavlin (JIRA)" <>
Subject [jira] [Commented] (CMIS-1001) Parse Content-MD5 Mime Header and use it for validation if present
Date Mon, 17 Oct 2016 12:08:58 GMT


Ron Gavlin commented on CMIS-1001:

Our experience with minor corruptions that occur during content part transfer motivated this
patch. In our case, we use multipart/form-data encoding for all 4 content-related actions
including setContent and appendContent. For multipart/form-data Message Integrity Checking,
it seems reasonable to me to perform this validation in the MultipartParser. Of course, validation-enablement
could be made configurable. Also, if you do not want hash validation in the Framework, would
you consider simply parsing the Mime Header in the MultipartParser as done in the current
patch and exposing the Header to Framework consumers as a getter in say the POSTHttpServletRequestWrapper?

Yes, I concur that the header should be Base64 encoded per RFC 1864. I can correct in a revised

Let me know how you would like me to proceed.

> Parse Content-MD5 Mime Header and use it for validation if present
> ------------------------------------------------------------------
>                 Key: CMIS-1001
>                 URL:
>             Project: Chemistry
>          Issue Type: Improvement
>          Components: opencmis-server
>    Affects Versions: OpenCMIS 1.0.0
>            Reporter: Ron Gavlin
>            Priority: Minor
> Sometimes content streams get corrupted over the wire. Content stream hashes are often
used to protect against these corruptions.
> Apache Chemistry OpenCMIS should validate contentStream input to AtomPub and Browser
Binding CMIS operations, including setContentStream, appendContentStream, checkIn, and createDocument,
by comparing the content stream MD5 hash against a Content-MD5 MIME header if present. A CMIS
invalidArgument exception should be thrown if the hashes are not equal.

This message was sent by Atlassian JIRA

View raw message