W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2010

protecting prefixes in XPath expressions

From: <Frederick.Hirsch@nokia.com>
Date: Tue, 21 Sep 2010 15:51:47 +0200
To: <Meiko.Jensen@ruhr-uni-bochum.de>
CC: <Frederick.Hirsch@nokia.com>, <public-xmlsec@w3.org>
Message-ID: <518A24B7-D707-4BE0-B2CE-EE7589D39999@nokia.com>
[moving discussion to public list]

Meiko

Thanks for the excellent paper on namespaces and XML Signature.

I was thinking there might be another mitigation approach that gets the benefits of prefix-free XPath expressions without introducing massive user-errors, of which you note many possibilities.

What if we define SigXPath which requires pre-processing of an XPath expression to replace prefix:local in the XPath expression with

/*[local-name() = "local" and namespace-uri() = "prefix"]

thus obtaining the prefix-free expression as XPath input, but making it a toolkit issue, not an end-user issue?

Might be a pragmatic approach toward mitigating the risk without requiring user-change...

Maybe this should be part of the XPath "profile" definition?

regards, Frederick

Frederick Hirsch
Nokia



On Sep 14, 2010, at 11:52 AM, ext Meiko Jensen wrote:

> As requested, here is the paper corresponding to Action-538
> 
> cheers
> 
> Meiko
> 
> -- 
> Dipl.-Inf. Meiko Jensen
> Chair for Network and Data Security 
> Horst Görtz Institute for IT-Security 
> Ruhr University Bochum, Germany
> _____________________________
> Universitätsstr. 150, Geb. ID 2/411
> D-44801 Bochum, Germany
> Phone: +49 (0) 234 / 32-26796
> Telefax: +49 (0) 234 / 32-14347
> http:// www.nds.rub.de
> 
> 
> <sws01-jensen.pdf>
Received on Tuesday, 21 September 2010 13:52:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 21 September 2010 13:52:38 GMT