> Do you know what the Java settings are that would make it vulnerable 
> to this attack?

Ignoring comments, the usual entity expansion and DTD issues, and a setting to 
coalesce CDATA into Text nodes are the ones that can create or prevent 
problems. That in combination with the actual DOM calls being done can interact 
in various ways that create problems or prevent them.

The "safe" mode, insofar as anything is safe, is to ignore comments (*), 
prevent DTDs from appearing and block entity expansion, and to coalesce CDATA 
so it never appears in the DOM.

-- Scott

(*) This of course prevents signing comments. You can still use #WithComments 
c14n methods, but if any comments were in the DOM when signed, the other end 
will fail to validate.


Is there any reason why the standard allowed #WithComments? I cannot think a 
single reason why would you want comments in SAML elements. It makes life so 
much more complicated. 

Reply via email to