protecting prefixes in XPath expressions

[moving discussion to public list]

Meiko

Thanks for the excellent paper on namespaces and XML Signature.

I was thinking there might be another mitigation approach that gets the benefits of prefix-free XPath expressions without introducing massive user-errors, of which you note many possibilities.

What if we define SigXPath which requires pre-processing of an XPath expression to replace prefix:local in the XPath expression with

/*[local-name() = "local" and namespace-uri() = "prefix"]

thus obtaining the prefix-free expression as XPath input, but making it a toolkit issue, not an end-user issue?

Might be a pragmatic approach toward mitigating the risk without requiring user-change...

Maybe this should be part of the XPath "profile" definition?

regards, Frederick

Frederick Hirsch
Nokia



On Sep 14, 2010, at 11:52 AM, ext Meiko Jensen wrote:

> As requested, here is the paper corresponding to Action-538
> 
> cheers
> 
> Meiko
> 
> -- 
> Dipl.-Inf. Meiko Jensen
> Chair for Network and Data Security 
> Horst Görtz Institute for IT-Security 
> Ruhr University Bochum, Germany
> _____________________________
> Universitätsstr. 150, Geb. ID 2/411
> D-44801 Bochum, Germany
> Phone: +49 (0) 234 / 32-26796
> Telefax: +49 (0) 234 / 32-14347
> http:// www.nds.rub.de
> 
> 
> <sws01-jensen.pdf>

Received on Tuesday, 21 September 2010 13:52:37 UTC