- From: <Frederick.Hirsch@nokia.com>
- Date: Fri, 23 Jul 2010 21:43:59 +0200
- To: <Meiko.Jensen@ruhr-uni-bochum.de>
- CC: <Frederick.Hirsch@nokia.com>, <public-xmlsec@w3.org>
I have updated the Best Practices document to add the new section on incorrect XPaths, with editorial revisions to the text, and change of title, also adding a best practice (which was in the text proposal but not highlighted). Please review the change so we can approve during the call: http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/#incorrect-xpath-syntax Thanks regards, Frederick Frederick Hirsch Nokia On Jul 22, 2010, at 7:40 AM, ext Meiko Jensen wrote: > Regarding my Action-586 I drafted a new paragraph for the best practices > document, to be inserted in between existing paragraphs 2.2.2 and 2.2.3 > (since I consider it to be close to 2.2.2 in content): > > ================================= > 2.2.3 Modified Approval Example: XPathFilter2 syntax causes nothing to > be selected for signing > > Example: Insecure Approval verification message > > <Doc xmlns="http://any.ns" > xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"> > <Approval xml:id="ap">...</Approval> > <Signature> > ... > <Reference URI=""> > <Transforms> > <Transform Algorithm="...xmldsig-filter2"> > <dsig-xpath:XPath Filter="intersect">//*[localname="Approval" and > namespace-uri="http://any.ns"]</dsig-xpath:XPath> > </Transform> > </Transforms> ... > </Reference> > </Signature> > </Doc> > > In this case, the XPath filter looks like selecting the Approval element > of namespace http://any.ns. However, in fact, it selects nothing at all. > Note that the function is spelled "local-name", not "localname", and > that both function calls omit their brackets (). The correct XPath > expression would have been > //*[local-name()="Approval" and namespace-uri()="http://any.ns"]. > The problem here consists in that the XPath evaluation will not raise an > exception, nor give any other advice on that the XPath selected nothing > or has a bad syntax. This is due to the fact that the XPath parser will > interpret the misspelled function names as regular XPath tokens, hence > leading to a completely different semantics that does not match the > intended selection. > As before, since nothing is selected, the digital signature does not > provide any data integrity properties, but also raises no exception > neither on signature application nor on verification. Hence, when > applying XML Signatures using XPath it is recommended to always actively > verify that the signature protects the intended elements, not more, not > less. > ================================= > > This should close ACTION-586. > > best regards > > Meiko > > -- > Dipl.-Inf. Meiko Jensen > Chair for Network and Data Security > Horst Görtz Institute for IT-Security > Ruhr University Bochum, Germany > _____________________________ > Universitätsstr. 150, Geb. IC 4/150 > D-44780 Bochum, Germany > Phone: +49 (0) 234 / 32-26796 > Telefax: +49 (0) 234 / 32-14347 > http:// www.nds.rub.de > >
Received on Friday, 23 July 2010 19:44:42 UTC