mimepull ignores missing/invalid closing MIME boundaries

[glassfishrobot]

According to the relevant specifications for MIME messages the end of the last
part is marked by the boundary marker appended by two dashes. Mimepull, however
also accepts MIME messages that do not have a closing boundary marker.

This behavior is dangerous and may lead to corrupted data. Consider the
following situation: A SOAP request with a single MTOM attachment is being
transferred. If, for whatever reason, the connection between client and server
is closed during the transfer process of the attachment the mimepull parser will
still accept the incomplete message without raising an exception. For the web
service implementation there is no way to notice that it reads an incomplete
attachment. The web service implementation then proceeds with corrupted data.

Here is a patch that fixes this:

Index: src/main/java/org/jvnet/mimepull/MIMEParser.java

— src/main/java/org/jvnet/mimepull/MIMEParser.java (revision 268237)
+++ src/main/java/org/jvnet/mimepull/MIMEParser.java (revision 268238)
@@ -209,11 +209,7 @@
assert eof || len >= config.chunkSize;
int chunkSize = eof ? len : config.chunkSize;
if (eof)

{ - // Should we throw exception as there is no closing boundary ? But some impl - // like SAAJ do not throw excpetion. - // throw new MIMEParsingException("Reached EOF, but there is no closing MIME boundary."); - done = true; - state = STATE.END_PART; + throw new MIMEParsingException("Reached EOF, but there is no closing MIME boundary."); }

return adjustBuf(chunkSize, len-chunkSize);
}
@@ -253,12 +249,7 @@
} else if (start+bl+lwsp+1 < len)

{ return adjustBuf(chunkLen+1, len-chunkLen-1); // boundary string in a part data }

else if (eof)

{ - done = true; - state = STATE.END_PART; - return adjustBuf(chunkLen, 0); - // Should we throw exception as there is no closing boundary ? But some impl - // like SAAJ do not throw excpetion. - //throw new MIMEParsingException("Reached EOF, but there is no closing MIME boundary."); + throw new MIMEParsingException("Reached EOF, but there is no closing MIME boundary."); }

// Some more data needed to determine if it is indeed a proper boundary

Fix the existing test data:

Index: src/test/resources/msg.txt

— src/test/resources/msg.txt (revision 268342)
+++ src/test/resources/msg.txt (revision 268343)
@@ -13,3 +13,4 @@
^@^PJFIF@^A^B^@^@^A@^A@^@@C^@^H^F^F^G^F^E^H^G^G^G
^L^T
^L^K^K^L^Y^R^S^O^T^]
+-----=_Part_4_910054940.1065629194743-^MIndex: src/test/resources/msg2.txt

— src/test/resources/msg2.txt (revision 268342)
+++ src/test/resources/msg2.txt (revision 268343)
@@ -49,4 +49,5 @@

^PJFIF ^A^B ^A ^A C^F^F^G^F^E^H^G^G^G
^L^T
-^L^K^K^L^Y^R^S^O^T^]
\ No newline at end of file
+^L^K^K^L^Y^R^S^O^T^]
+-----=_Part_1_807283631.1066069460327-
\ No newline at end of file

Add new test data and tests:

Index: src/test/java/parsing/ParsingTest.java

— src/test/java/parsing/ParsingTest.java (revision 268349)
+++ src/test/java/parsing/ParsingTest.java (revision 268350)
@@ -42,6 +42,7 @@

import org.jvnet.mimepull.MIMEMessage;
import org.jvnet.mimepull.MIMEConfig;
+import org.jvnet.mimepull.MIMEParsingException;
import org.jvnet.mimepull.MIMEPart;

import javax.imageio.ImageIO;
@@ -207,4 +208,43 @@
assertEquals("part2", parts.get(1).getContentId());
}

• public void testNoClosingBoundary() throws Exception {
• boolean gotException = false;
• try

{ + String fileName = "../msg-no-closing-boundary.txt"; + InputStream in = getClass().getResourceAsStream(fileName); + assertNotNull("Failed to load test data from " + fileName, in); + MIMEConfig config = new MIMEConfig(); + String boundary = "----=_Part_4_910054940.1065629194743"; + MIMEMessage mm = new MIMEMessage(in, boundary , config); + mm.parseAll(); + }

catch (MIMEParsingException e)

{ + gotException = true; + String msg = e.getMessage(); + assertNotNull(msg); + assertTrue(msg.contains("no closing MIME boundary")); + }

• assertTrue(gotException);

• }

• public void testInvalidClosingBoundary() throws Exception {

• boolean gotException = false;

• try { + String fileName = "../msg-invalid-closing-boundary.txt"; + InputStream in = getClass().getResourceAsStream(fileName); + assertNotNull("Failed to load test data from " + fileName, in); + MIMEConfig config = new MIMEConfig(); + String boundary = "----=_Part_4_910054940.1065629194743"; + MIMEMessage mm = new MIMEMessage(in, boundary , config); + mm.parseAll(); + } catch (MIMEParsingException e) {+ gotException = true;+ String msg = e.getMessage();+ assertNotNull(msg);+ assertTrue(msg.contains("no closing MIME boundary"));+ }

• assertTrue(gotException);

• }
  }
  Index: src/test/resources/msg-invalid-closing-boundary.txt
  ===================================================================
  — src/test/resources/msg-invalid-closing-boundary.txt (revision 0)
  +++ src/test/resources/msg-invalid-closing-boundary.txt (revision 268350)
  @@ -0,0 +1,16 @@
  +------=_Part_4_910054940.1065629194743
  +Content-Type: text/xml; charset=UTF-8
  +Content-Transfer-Encoding: binary
  +Content-Id: 139912840220.1065629194743.IBM.WEBSERVICES@ibm-7pr28r4m35k
  +Content-Description: ahsdfjhdf\nsdkhjkdf\tjsdkfh\r kdjfkdjf

+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance">soapenv:Body18lb232618in</
DimensionsUnit></soapenv:Body></soapenv:Envelope>
+------=_Part_4_910054940.1065629194743
+Content-Type: image/jpeg
+Content-Transfer-Encoding: binary
+Content-Id: 1351327060508.1065629194423.IBM.WEBSERVICES@ibm-7pr28r4m35k
+
+^@^PJFIF@^A^B^@^@^A@^A@^@@C^@^H^F^F^G^F^E^H^G^G^G
+^L^T
+^L^K^K^L^Y^R^S^O^T^]
+-----=_Part_4_910054940.1065629194743^MIndex: src/test/resources/msg-no
closing-boundary.txt

— src/test/resources/msg-no-closing-boundary.txt (revision 0)
+++ src/test/resources/msg-no-closing-boundary.txt (revision 268350)
@@ -0,0 +1,15 @@
+------=_Part_4_910054940.1065629194743
+Content-Type: text/xml; charset=UTF-8
+Content-Transfer-Encoding: binary
+Content-Id: 139912840220.1065629194743.IBM.WEBSERVICES@ibm-7pr28r4m35k
+Content-Description: ahsdfjhdf\nsdkhjkdf\tjsdkfh\r kdjfkdjf
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance">soapenv:Body18lb232618in</
DimensionsUnit></soapenv:Body></soapenv:Envelope>
+------=_Part_4_910054940.1065629194743
+Content-Type: image/jpeg
+Content-Transfer-Encoding: binary
+Content-Id: 1351327060508.1065629194423.IBM.WEBSERVICES@ibm-7pr28r4m35k
+
+^@^PJFIF@^A^B^@^@^A@^A@^@@C^@^H^F^F^G^F^E^H^G^G^G
+^L^T
+^L^K^K^L^Y^R^S^O^T^]

Environment

Operating System: All
Platform: All

Affected Versions

[current]

[glassfishrobot]

Reported by fff90a@java.net

[glassfishrobot]

Was assigned to snajper

[glassfishrobot]

File: all-patches.patch
Attached By: fff90a@java.net

[glassfishrobot]

fff90a@java.net said:
Created an attachment (id=5)
All three patches

[glassfishrobot]

snajper said:
AFAICT this was fixed, too - please reopen if not. Thanks.

[glassfishrobot]

Marked as fixed on Friday, November 30th 2012, 3:49:33 am

[glassfishrobot]

This issue was imported from java.net JIRA MIMEPULL-4