Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt the Content-Type header #263

Closed
phax opened this issue Aug 19, 2024 · 1 comment
Closed

Adopt the Content-Type header #263

phax opened this issue Aug 19, 2024 · 1 comment
Assignees
@phax
Labels
enhancement

Comments

@phax
Copy link
Owner

phax commented Aug 19, 2024

The existing Content-Type header with the form

Content-Type: multipart/related; boundary="----=_Part_0_899523303.1722602089777"; type="application/soap+xml"; charset=UTF-8

is not ideal in regards to OWASP rules:

Content-Type with lower score:

Content-Type: multipart/related; type="application/soap+xml"; boundary="example"; start="<ID of root MIME part>"; start-info="application/soap+xml"

and within first MIME part:

Content-Type: application/soap+xml; charset=UTF-8
@phax phax self-assigned this Aug 19, 2024
phax added a commit that referenced this issue Aug 19, 2024
@phax
Removed charset from main content-type; #263
7b60ccc
@phax
Copy link
Owner Author

phax commented Aug 19, 2024

For v2.8.2 the charset parameter was removed from the main Content-Type; for the MIME part Content-Type the charset was already present.

Regarding the start parameter for multipart/related according to RFC 2387 chapter 3.2:

The start parameter, if given, is the content-ID of the compound object's "root". If not present the "root" is the first body part in the Multipart/Related entity. The "root" is the element the applications processes first.

As the main body part is ALWAYS the root, the start parameter is not needed.

Regarding the start-info parameter for multipart/related according to RFC 2387 chapter 3.3:

Additional information can be provided to an application by the start-info parameter. It contains either a string or points, via content-ID, to another MIME entity in the message. A typical use might be to provide additional command line parameters or a MIME entity giving auxiliary information for processing the compound object.
Applications that use Multipart/Related must specify the interpretation of start-info. User Agents shall provide the parameter's value to the processing application. Processes can distinguish a start-info reference from a token or quoted-string by examining the first non-white-space character, "<" indicates a reference.

As Applications that use Multipart/Related must specify the interpretation of start-info. is not the case for AS4, I decided to not use this parameter either.

@phax phax closed this as completed Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@phax phax

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@phax