Possible c14n bugs

Fri, 05 May 2006 02:23:29 -0700 

Hi,
I think I've discovered two bugs in the c14n methods of XML Security. Your site recommends bringing up bugs on the mailing list first (a sensible precaution!), so I'll detail my findings here and see if anyone can confirm if these bug is valid. I'm using the Java 1.3 version of XML Security. 


The first potential problem is that XML security doesn't appear to order 
namespace attributes in the same manner as the W3C spec. The W3C c14n 
spec gives an example here: http://www.w3.org/TR/xml-c14n#Example-SETags


In the W3C example, it transforms this tag:

   <e5 a:attr="out" b:attr="sorted" attr2="all" attr="I'm"
      xmlns:b="http://www.ietf.org";
      xmlns:a="http://www.w3.org";
      xmlns="http://example.org"/>

Into this (ignore the word-wrapping - it's all one line):


   <e5 xmlns="http://example.org"; xmlns:a="http://www.w3.org"; 
xmlns:b="http://www.ietf.org"; attr="I'm" attr2="all" b:attr="sorted" 
a:attr="out"></e5>



I tried the same test using the XMLUtils.outputDOMc14nWithComments 
method, and it returned this result (again, ignore the word-wrapping):



   <e5 a:attr="out" attr="I'm" attr2="all" b:attr="sorted" 
xmlns="http://example.org"; xmlns:a="http:

//www.w3.org" xmlns:b="http://www.ietf.org";></e5>


The second problem is that in the spec, empty xmlns attributes are 
removed. Thus, this original tag:


   <e6 xmlns="" xmlns:a="http://www.w3.org";>

Becomes this, when c14n'd:

   <e6 xmlns:a="http://www.w3.org";>


The XMLUtils.outputDOMc14nWithComments method does not remove the 
redundant xmlns attribute:


   <e6 xmlns="" xmlns:a="http://www.w3.org";>

The code I used to obtain all of this output is attached.

--
James Reeves
http://www.hybridfour.com


import java.io.StringReader;

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;

import org.apache.xml.security.utils.XMLUtils;
import org.w3c.dom.Document;
import org.xml.sax.InputSource;

public class XmlC14nTest
{
        public static void main(String[] args) throws Exception
        {
                org.apache.xml.security.Init.init();
                
                String xml = "<!DOCTYPE doc [<!ATTLIST e9 attr CDATA 
\"default\">]>\n" +
                                        "<doc>\n" +
                                        "   <e1   />\n" +
                                        "   <e2   ></e2>\n" +
                                        "   <e3   name = \"elem3\"   
id=\"elem3\"   />\n" +
                                        "   <e4   name=\"elem4\"   id=\"elem4\" 
  ></e4>\n" +
                                        "   <e5 a:attr=\"out\" 
b:attr=\"sorted\" attr2=\"all\" attr=\"I'm\"\n" +
                                        "      
xmlns:b=\"http://www.ietf.org\"\n"; +
                                        "      xmlns:a=\"http://www.w3.org\"\n"; 
+
                                        "      
xmlns=\"http://example.org\"/>\n" +
                                        "   <e6 xmlns=\"\" 
xmlns:a=\"http://www.w3.org\";>\n" +
                                        "      <e7 
xmlns=\"http://www.ietf.org\";>\n" +
                                        "         <e8 xmlns=\"\" 
xmlns:a=\"http://www.w3.org\";>\n" +
                                        "            <e9 xmlns=\"\" 
xmlns:a=\"http://www.ietf.org\"/>\n" +
                                        "         </e8>\n" +
                                        "      </e7>\n" +
                                        "   </e6>\n" +
                                        "</doc>\n";
                
                DocumentBuilder builder = 
DocumentBuilderFactory.newInstance().newDocumentBuilder();
                
                Document document = builder.parse(new InputSource(new 
StringReader(xml)));
                
                XMLUtils.outputDOMc14nWithComments(document, System.out);
        }
}






















					Reply via email to