- From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
- Date: 3 Dec 2010 16:04:06 +0100
- To: "XMLSec WG Public List" <public-xmlsec@w3.org>
Regarding the long-running Action-538 of mine, I'd say that with the new Streamable XPath profile we defined the spec provides the necessary tools to fend signature wrapping attack as good as possible for now. People most likely won't use it, since it's more easy to stick to ID-based referencing or more convenient to use full XPath instead of Streaming XPath, but we're pushing people towards the right direction. StreamingXPath still allows the use of namespace prefixes in selection XPaths, hence these signatures will still be exploitable using the namespace injection technique, but we provide some new features to counter them. First, we show people how to protect using the [local-name() and namespace-uri()] predicate style (which is safe to use), and secondly, we enable handling XPath prefixes in terms of "visible utilization". In other words: the threat is still out there, but we've done all we can to mitigate it. Fending it would require us to mostly throw away our backwards-compatibility requirement and nearly start from scratch. Once Pratik's Algorithm for extracting prefixes from XPaths and treating them as "visibly utilized" is put to the spec, I consider this action ready to be closed. Finally ;) cheers Meiko -- Dipl.-Inf. Meiko Jensen Chair for Network and Data Security Horst Görtz Institute for IT-Security Ruhr University Bochum, Germany _____________________________ Universitätsstr. 150, Geb. ID 2/411 D-44801 Bochum, Germany Phone: +49 (0) 234 / 32-26796 Telefax: +49 (0) 234 / 32-14347 http:// www.nds.rub.de
Received on Friday, 3 December 2010 15:04:32 UTC