- From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
- Date: 22 Jul 2010 13:40:13 +0200
- To: "XMLSec WG Public List" <public-xmlsec@w3.org>
Regarding my Action-586 I drafted a new paragraph for the best practices document, to be inserted in between existing paragraphs 2.2.2 and 2.2.3 (since I consider it to be close to 2.2.2 in content): ================================= 2.2.3 Modified Approval Example: XPathFilter2 syntax causes nothing to be selected for signing Example: Insecure Approval verification message <Doc xmlns="http://any.ns" xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"> <Approval xml:id="ap">...</Approval> <Signature> ... <Reference URI=""> <Transforms> <Transform Algorithm="...xmldsig-filter2"> <dsig-xpath:XPath Filter="intersect">//*[localname="Approval" and namespace-uri="http://any.ns"]</dsig-xpath:XPath> </Transform> </Transforms> ... </Reference> </Signature> </Doc> In this case, the XPath filter looks like selecting the Approval element of namespace http://any.ns. However, in fact, it selects nothing at all. Note that the function is spelled "local-name", not "localname", and that both function calls omit their brackets (). The correct XPath expression would have been //*[local-name()="Approval" and namespace-uri()="http://any.ns"]. The problem here consists in that the XPath evaluation will not raise an exception, nor give any other advice on that the XPath selected nothing or has a bad syntax. This is due to the fact that the XPath parser will interpret the misspelled function names as regular XPath tokens, hence leading to a completely different semantics that does not match the intended selection. As before, since nothing is selected, the digital signature does not provide any data integrity properties, but also raises no exception neither on signature application nor on verification. Hence, when applying XML Signatures using XPath it is recommended to always actively verify that the signature protects the intended elements, not more, not less. ================================= This should close ACTION-586. best regards Meiko -- Dipl.-Inf. Meiko Jensen Chair for Network and Data Security Horst Görtz Institute for IT-Security Ruhr University Bochum, Germany _____________________________ Universitätsstr. 150, Geb. IC 4/150 D-44780 Bochum, Germany Phone: +49 (0) 234 / 32-26796 Telefax: +49 (0) 234 / 32-14347 http:// www.nds.rub.de
Received on Thursday, 22 July 2010 11:40:38 UTC