Re: <AWT Dev> Safe to take Base64 encoded image from client?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: <AWT Dev> Safe to take Base64 encoded image from client?

Sergey Bylokhov
Hi,
The question is related to Java2D API and 2d-dev (cc).

----- [hidden email] wrote:

> Hi,
>
> The front-end generates a base64 encoded image of a graph and send it
> to the backend to use it with pdfbox to create a pdf file.
> Are there any security concerns with in particular this line
> "BufferedImage bufImg = ImageIO.read(new
> ByteArrayInputStream(imageByte));
> “?
>
> @POST
> @Consumes(MediaType.APPLICATION_JSON)
> @Path("/pdfbox")
> public void getChartsPdf(String base64ImageData) throws IOException{
>
>     PDDocument doc = null;
>     byte[] imageByte;
>     String base64Image = base64ImageData.split(",")[1];
>     BASE64Decoder decoder = new BASE64Decoder();
>     imageByte = decoder.decodeBuffer(base64Image);
>     try {
>         doc = new PDDocument();
>         PDPage page = new PDPage();
>         doc.addPage(page);
>         PDFont font = PDType1Font.HELVETICA_BOLD;
>         PDPageContentStream contentStream = new
> PDPageContentStream(doc, page);
>
>         BufferedImage bufImg = ImageIO.read(new
> ByteArrayInputStream(imageByte));
>         PDXObjectImage ximage = new PDPixelMap(doc, bufImg);
>
>         contentStream.beginText();
>         contentStream.setFont( font, 12 );
>         contentStream.moveTextPositionByAmount( 50, 700 );
>         contentStream.drawString("Timeline");
>         contentStream.endText();
>         contentStream.drawXObject(ximage, 20, 500,
> ximage.getWidth()/2, ximage.getHeight()/2);
>         contentStream.close();
>         doc.save("testCharts.pdf");
>     } catch (Exception e) {
>         System.err.println(e.getMessage());
>     } finally {
>         if (doc != null) {
>             doc.close();
>         }
>     }
> }
>
> Regards,
>
> Timo
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: <AWT Dev> Safe to take Base64 encoded image from client?

Philip Race
 From a JDK perspective you need to make sure you run with the
latest secure baseline update for your version : for more info see
http://www.oracle.com/technetwork/java/javase/overview/security-2043272.html

The rest is application architecture for which I don't think we can or
should give advice.
This is not a support channel. These lists are for people contributing
source code to OpenJDK.

-phil.

On 5/29/17, 2:48 PM, Sergey Bylokhov wrote:

> Hi,
> The question is related to Java2D API and 2d-dev (cc).
>
> ----- [hidden email] wrote:
>
>> Hi,
>>
>> The front-end generates a base64 encoded image of a graph and send it
>> to the backend to use it with pdfbox to create a pdf file.
>> Are there any security concerns with in particular this line
>> "BufferedImage bufImg = ImageIO.read(new
>> ByteArrayInputStream(imageByte));
>> “?
>>
>> @POST
>> @Consumes(MediaType.APPLICATION_JSON)
>> @Path("/pdfbox")
>> public void getChartsPdf(String base64ImageData) throws IOException{
>>
>>      PDDocument doc = null;
>>      byte[] imageByte;
>>      String base64Image = base64ImageData.split(",")[1];
>>      BASE64Decoder decoder = new BASE64Decoder();
>>      imageByte = decoder.decodeBuffer(base64Image);
>>      try {
>>          doc = new PDDocument();
>>          PDPage page = new PDPage();
>>          doc.addPage(page);
>>          PDFont font = PDType1Font.HELVETICA_BOLD;
>>          PDPageContentStream contentStream = new
>> PDPageContentStream(doc, page);
>>
>>          BufferedImage bufImg = ImageIO.read(new
>> ByteArrayInputStream(imageByte));
>>          PDXObjectImage ximage = new PDPixelMap(doc, bufImg);
>>
>>          contentStream.beginText();
>>          contentStream.setFont( font, 12 );
>>          contentStream.moveTextPositionByAmount( 50, 700 );
>>          contentStream.drawString("Timeline");
>>          contentStream.endText();
>>          contentStream.drawXObject(ximage, 20, 500,
>> ximage.getWidth()/2, ximage.getHeight()/2);
>>          contentStream.close();
>>          doc.save("testCharts.pdf");
>>      } catch (Exception e) {
>>          System.err.println(e.getMessage());
>>      } finally {
>>          if (doc != null) {
>>              doc.close();
>>          }
>>      }
>> }
>>
>> Regards,
>>
>> Timo
Loading...