steel scorpion wrote:
From: Erwin van der Koogh <[EMAIL PROTECTED]>
Somewhere in your code you have a reference to a particular ID, but
it's not always possible to see what attributes are of type ID. To
Not sure I understand this completely. Does this mean that, from a
parser/resolver point of view, it is impossible to find out the type of
an attribute? For example, if I have the following two schemas,
does it mean that it's impossible to distinguish between the two?
I believe so, unless you use a parser that validates the XML against
the schema below, and therefore can identify the elements with ID attributes.
==== Schema 1: id is of type "xs:ID" ==================
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema elementFormDefault="qualified" xml:lang="EN"
targetNamespace="http://www.mydomain.com/demo/Test";
xmlns:test="http://www.mydomain.com/demo/Test";
xmlns:xs="http://www.w3.org/2001/XMLSchema";>
<xs:element name="TestO" type="test:TestType"/>
<xs:complexType name="TestType">
<xs:sequence>
<xs:element name="Name" type="xs:string"/>
<xs:element name="Value" type="xs:integer"/>
</xs:sequence>
<xs:attribute name="id" type="xs:ID"/>
</xs:complexType>
</xs:schema>
==== Schema 2: id is of type "xs:string" ==================
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema elementFormDefault="qualified" xml:lang="EN"
targetNamespace="http://www.mydomain.com/demo/Test2";
xmlns:test="http://www.mydomain.com/demo/Test2";
xmlns:xs="http://www.w3.org/2001/XMLSchema";>
<xs:element name="TestO" type="test:TestType"/>
<xs:complexType name="TestType">
<xs:sequence>
<xs:element name="Name" type="xs:string"/>
<xs:element name="Value" type="xs:integer"/>
</xs:sequence>
<xs:attribute name="id" type="xs:string"/>
</xs:complexType>
</xs:schema>
make it easier to program we have included an IDResolver that instead
tries to guess what you want by trying to find attributes called
Id/ID/id. This is potentially insecure as someone could introduce XML
that would be picked instead, change the XML you tried to sign. It's
then possible that when you verify the signature you verify the copy
of the XML. Then there is the risk that you take the modified XML and
use that instead.
Sounds reasonable.
A little bit fabricated, but potentially insecure, depending on how
you use the library.
The prefered way would be to use a custom Resolver. See the examples ;)
Which resolver? You mean, like the OfflineResolver? Or are you talking
about
the IdResolver?
Thanks
_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
