santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cantor, Scott" <>
Subject Re: Broken Test Cases from 1.4.4 to 1.5.2? Related to ID?
Date Tue, 21 Aug 2012 02:31:06 GMT
On 8/20/12 10:26 PM, "Michael Bishop" <> wrote:
>Which goes back to your original statement in that you have to "identify"
>ID attributes via a custom resolver, schema constraint, or DOM3 APIs

Yes, that's correct. Assuming ID based on attribute name alone opens you
up to wrapping attacks. Unfortunately, because Xerces is broken and
refuses to enforce ID uniqueness within the DOM itself (when you tell it
what the IDs are), you're still open to wrapping attacks even if you do
the right things superficially.

In other words, be very, very careful. Never process signed content unless
you rely on an API that gives you only what was verified (fed into the
digest), or unless you "redo" the same ID lookup logic that the xmlsec
library does/did before passing anything that was supposedly verified into
application layer code.

-- Scott

View raw message