santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <>
Subject Re: [security] Protections against Duo Labs type attacks
Date Thu, 08 Mar 2018 12:15:39 GMT
This attack does not appear to apply to the Java DOM implementation, as the
entire node value is parsed - and not just the bit up to the comment. I
added a sanity test to WSS4J (which depends on Santuario) here to check
that it works OK:

However, I definitely encourage downstream projects to incorporate these
types of tests into their builds - other Java based XML parsing libraries
might be vulnerable.


On Thu, Mar 8, 2018 at 12:06 PM, Tom Chiverton <> wrote:

> I was reading [1] and wondered if there is either specific protections
> already in place in Apache Santuario's XML security implementation, or if
> it's up to callers of the API to make sure they use it in just the right
> way ?
> As a concrete example, implementations maybe doing something like calling
>'s checkSignatuteValue() with a
> reference to either the SAML's X509 certificate and/or the Signature node.
> If the latter is being extracted with doc.getElementsByTagNameNS(SignatureSpecNS,
> "Signature") is this sufficient protection against the new attack ?
> [1]
> affecting-multiple-implementations
> --
> *Tom Chiverton*
> Lead Developer
> e:
> p:  0161 817 2922
> t:  @extravision <>
> w:
> [image: Extravision - email worth seeing] <>
> Registered in the UK at: First floor, Tomorrow, MediaCityUK, Manchester,
> M50 2AB.
> Company Reg No: 0‌‌5017214 VAT: GB 8‌‌24 5386 19
> This e-mail is intended solely for the person to whom it is addressed and
> may contain confidential or privileged information.
> Any views or opinions presented in this e-mail are solely of the author
> and do not necessarily represent those of Extravision Ltd.

Colm O hEigeartaigh

Talend Community Coder

View raw message