- From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
- Date: 23 Jul 2010 11:06:01 +0200
- To: Frederick.Hirsch@nokia.com
- Cc: public-xmlsec@w3.org
- Message-ID: <4C495B79.6010405@ruhr-uni-bochum.de>
Frederick, you are right, that title is better. Besides: regrets for August 3rd. best regards Meiko Frederick.Hirsch@nokia.com schrieb: > Meiko > > I suggest changing the title of this example to be more descriptive: > > 2.2.3 Modified Approval Example: Incorrect XPath syntax signals no error and results in nothing selected for signing > > Unless someone raises a concern on the list, I'll go ahead and add this to the Best Practices document. > > Thanks > > regards, Frederick > > Frederick Hirsch > Nokia > > > > On Jul 22, 2010, at 7:40 AM, ext Meiko Jensen wrote: > > >> Regarding my Action-586 I drafted a new paragraph for the best practices >> document, to be inserted in between existing paragraphs 2.2.2 and 2.2.3 >> (since I consider it to be close to 2.2.2 in content): >> >> ================================= >> 2.2.3 Modified Approval Example: XPathFilter2 syntax causes nothing to >> be selected for signing >> >> Example: Insecure Approval verification message >> >> <Doc xmlns="http://any.ns" >> xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"> >> <Approval xml:id="ap">...</Approval> >> <Signature> >> ... >> <Reference URI=""> >> <Transforms> >> <Transform Algorithm="...xmldsig-filter2"> >> <dsig-xpath:XPath Filter="intersect">//*[localname="Approval" and >> namespace-uri="http://any.ns"]</dsig-xpath:XPath> >> </Transform> >> </Transforms> ... >> </Reference> >> </Signature> >> </Doc> >> >> In this case, the XPath filter looks like selecting the Approval element >> of namespace http://any.ns. However, in fact, it selects nothing at all. >> Note that the function is spelled "local-name", not "localname", and >> that both function calls omit their brackets (). The correct XPath >> expression would have been >> //*[local-name()="Approval" and namespace-uri()="http://any.ns"]. >> The problem here consists in that the XPath evaluation will not raise an >> exception, nor give any other advice on that the XPath selected nothing >> or has a bad syntax. This is due to the fact that the XPath parser will >> interpret the misspelled function names as regular XPath tokens, hence >> leading to a completely different semantics that does not match the >> intended selection. >> As before, since nothing is selected, the digital signature does not >> provide any data integrity properties, but also raises no exception >> neither on signature application nor on verification. Hence, when >> applying XML Signatures using XPath it is recommended to always actively >> verify that the signature protects the intended elements, not more, not >> less. >> ================================= >> >> This should close ACTION-586. >> >> best regards >> >> Meiko >> >> -- >> Dipl.-Inf. Meiko Jensen >> Chair for Network and Data Security >> Horst Görtz Institute for IT-Security >> Ruhr University Bochum, Germany >> _____________________________ >> Universitätsstr. 150, Geb. IC 4/150 >> D-44780 Bochum, Germany >> Phone: +49 (0) 234 / 32-26796 >> Telefax: +49 (0) 234 / 32-14347 >> http:// www.nds.rub.de >> >> >> > > -- Dipl.-Inf. Meiko Jensen Chair for Network and Data Security Horst Görtz Institute for IT-Security Ruhr University Bochum, Germany _____________________________ Universitätsstr. 150, Geb. IC 4/150 D-44780 Bochum, Germany Phone: +49 (0) 234 / 32-26796 Telefax: +49 (0) 234 / 32-14347 http:// www.nds.rub.de
Received on Friday, 23 July 2010 09:06:34 UTC