santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cantor, Scott" <canto...@osu.edu>
Subject Re: XML Security Java 1.5.0-RC1 available
Date Tue, 20 Dec 2011 15:59:17 GMT
On 12/20/11 10:55 AM, "Sean Mullan" <sean.mullan@oracle.com> wrote:

>It no longer searches. All IDs have to be pre-registered. It knows about
>IDs in the XML signature namespace so pre-registers those itself.

Does that imply you no longer rely on getElementById either? Because
that's a search you don't control, and we know Xerces allows duplicates,
ergo so does Santuario if it uses that API.

>We could search the entire document every time for duplicate IDs but
>then nobody would use the library because it would be too slow.

It would work fine in many applications that favor guarantees over speed.

>This is an issue that we can solve partially, but in my opinion higher
>level APIs need to also do their job and register the IDs in their own
>namespaces (or use a validating schema). Then wrapping attacks are not
>possible.

Unless you're not using the DOM ID APIs anymore, they're still possible
because Xerces remains broken.

-- Scott


Mime
View raw message