Xpath wrapping attack from Pratik Datta on 2010-10-28 (public-xmlsec@w3.org from October 2010)

From: Pratik Datta <pratik.datta@oracle.com>
Date: Thu, 28 Oct 2010 10:49:38 -0700 (PDT)
To: public-xmlsec@w3.org
Message-ID: <0661fce5-a1d6-41c9-a6ab-2cacf7f26155@default>

Related to my ACTION-680

To prevent the XPath wrapping attack in Exclusive canonicalization, we have modified the definition of "visibly utilizes" in Exclusive canonicalization, so that is also considers prefixes in the XPath expressions.

I.e. if there is an XPath expression like this
  <dsig2:IncludedXPath>/soap:Envelope/soap:Body</dsig2:IncludedXPath>

Then the "soap" prefix will also be considered as visibly utilized. 


Currently we have a mechanism for defining text nodes that may contain qname, using the <c14n2:QNameAware> element, but this only for text nodes whose entire content is a QName, it does not do any scanning.  So I propose that we add a new sub element to QNameAware and call it "<c14n2:XPathElement>. This would be used to identify elements that contain XPaths

e.g.
<c14n2:QNameAware>
  <c14n2:XPathElement Name="IncludedXPath" NS="http://www.w3.org/2010/xmldsig2#"/>
  <c14n2:XPathElement Name="ExcludedXPath" NS="http://www.w3.org/2010/xmldsig2#"/>
</c14n2:QNameAware>


The C14N 2.0 algorithm will do special processing for all elements identified in a such away, i.e. it will scan the text context for prefixes, ignoring quoted content.

Note this will be an "implicit" parameter, i.e. The signature will always pass in IncludedXPath and ExludedXPath as qname aware xpath elements to C14N 2.0, even if they are not specified in the signature. Very much like how we implicitly exclude the Signature element.


Pratik

Received on Thursday, 28 October 2010 17:50:56 UTC