'Re: [OpenJDK 2D-Dev] <AWT Dev> Safe to take Base64 encoded image from client?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-2d-dev
Subject:    Re: [OpenJDK 2D-Dev] <AWT Dev> Safe to take Base64 encoded image from client?
From:       Philip Race <philip.race () oracle ! com>
Date:       2017-05-30 14:07:52
Message-ID: 592D7CB8.7010500 () oracle ! com
[Download RAW message or body]

 From a JDK perspective you need to make sure you run with the
latest secure baseline update for your version : for more info see
http://www.oracle.com/technetwork/java/javase/overview/security-2043272.html

The rest is application architecture for which I don't think we can or 
should give advice.
This is not a support channel. These lists are for people contributing 
source code to OpenJDK.

-phil.

On 5/29/17, 2:48 PM, Sergey Bylokhov wrote:
> Hi,
> The question is related to Java2D API and 2d-dev (cc).
>
> ----- timo.vander.schuit@globalrelay.net wrote:
>
>> Hi,
>>
>> The front-end generates a base64 encoded image of a graph and send it
>> to the backend to use it with pdfbox to create a pdf file.
>> Are there any security concerns with in particular this line
>> "BufferedImage bufImg = ImageIO.read(new
>> ByteArrayInputStream(imageByte));
>> "?
>>
>> @POST
>> @Consumes(MediaType.APPLICATION_JSON)
>> @Path("/pdfbox")
>> public void getChartsPdf(String base64ImageData) throws IOException{
>>
>>      PDDocument doc = null;
>>      byte[] imageByte;
>>      String base64Image = base64ImageData.split(",")[1];
>>      BASE64Decoder decoder = new BASE64Decoder();
>>      imageByte = decoder.decodeBuffer(base64Image);
>>      try {
>>          doc = new PDDocument();
>>          PDPage page = new PDPage();
>>          doc.addPage(page);
>>          PDFont font = PDType1Font.HELVETICA_BOLD;
>>          PDPageContentStream contentStream = new
>> PDPageContentStream(doc, page);
>>
>>          BufferedImage bufImg = ImageIO.read(new
>> ByteArrayInputStream(imageByte));
>>          PDXObjectImage ximage = new PDPixelMap(doc, bufImg);
>>
>>          contentStream.beginText();
>>          contentStream.setFont( font, 12 );
>>          contentStream.moveTextPositionByAmount( 50, 700 );
>>          contentStream.drawString("Timeline");
>>          contentStream.endText();
>>          contentStream.drawXObject(ximage, 20, 500,
>> ximage.getWidth()/2, ximage.getHeight()/2);
>>          contentStream.close();
>>          doc.save("testCharts.pdf");
>>      } catch (Exception e) {
>>          System.err.println(e.getMessage());
>>      } finally {
>>          if (doc != null) {
>>              doc.close();
>>          }
>>      }
>> }
>>
>> Regards,
>>
>> Timo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic