santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Stanchev <>
Subject RE: [security] Protections against Duo Labs type attacks
Date Tue, 13 Mar 2018 19:57:57 GMT
> Do you know what the Java settings are that would make it vulnerable 
> to this attack?

Ignoring comments, the usual entity expansion and DTD issues, and a setting to coalesce CDATA
into Text nodes are the ones that can create or prevent problems. That in combination with
the actual DOM calls being done can interact in various ways that create problems or prevent

The "safe" mode, insofar as anything is safe, is to ignore comments (*), prevent DTDs from
appearing and block entity expansion, and to coalesce CDATA so it never appears in the DOM.

-- Scott

(*) This of course prevents signing comments. You can still use #WithComments c14n methods,
but if any comments were in the DOM when signed, the other end will fail to validate.


Is there any reason why the standard allowed #WithComments? I cannot think a single reason
why would you want comments in SAML elements. It makes life so much more complicated. 
View raw message