W3C home > Mailing lists > Public > public-xmlsec@w3.org > October 2010

RE: Xpath wrapping attack

From: Pratik Datta <pratik.datta@oracle.com>
Date: Thu, 28 Oct 2010 11:57:15 -0700 (PDT)
Message-ID: <cb4c8d61-6a8f-4559-a03b-99c06e890956@default>
To: Scott Cantor <cantor.2@osu.edu>, public-xmlsec@w3.org
I don't want to add another parameter to C14N just for this. We are already in mode of trying to reduce parameters, so I wanted to reuse the QNameAware parameter, besides this is also a QNames in content issue, which is main purpose of QNameAware.

We don't have a use case of XPaths in attributes, only in elements.

Pratik

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Thursday, October 28, 2010 11:10 AM
To: Pratik Datta; public-xmlsec@w3.org
Subject: RE: Xpath wrapping attack

> Currently we have a mechanism for defining text nodes that may contain
> qname, using the <c14n2:QNameAware> element, but this only for text nodes
> whose entire content is a QName, it does not do any scanning.  So I
propose
> that we add a new sub element to QNameAware and call it
> "<c14n2:XPathElement>. This would be used to identify elements that
contain
> XPaths

I don't think that shouldn't be part of QNameAware. It sounds like you want
a new option, XPathAware, which probably derives from a common base type.

For example, you suggest allowing for element content, but what about
attributes?

I think it's better to keep them distinct options, and just share a content
model.

-- Scott
Received on Thursday, 28 October 2010 18:59:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 28 October 2010 18:59:30 GMT