https://issues.apache.org/bugzilla/show_bug.cgi?id=46975
Summary: Use of same prefix in two different namespace
declarations in a document breaks c14n
Product: Security
Version: Java 1.4.2
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Canonicalization
AssignedTo: security-dev@xml.apache.org
ReportedBy: canto...@osu.edu
We have a sample involving a SAML 1.1 assertion that's internally including a
SAML 2.0 element inside one of the components, and the SAML library happens to
be using the prefix "saml" for both of the namespaces involved. The prefix is
also included in the inclusive prefix list, but I don't know if that's a
trigger for the bug yet.
In any case, what happens is that the c14n output to the digester is omitting
the second, nested namespace declaration because the prefix is already declared
up above, not noticing that the namespace itself has changed.
We're observing both an older Java version (1.4.1) and the latest C++ xmlsec
code rejecting this signature, so I suspect it's a regression and was working
correctly before, but need more time to prove that.
The relevant case looks like this:
<Foo xmlns:bar="https://bar.com";>
<Foo2 xmlns:bar="https://bar2.com"/>
</Foo>
What we're seeing is bar omitted from the Foo2 element. I don't know if a
sample that small will trip it, but the full example that does is attached.
Search for NameID and you'll see the second declaration of xmlns:saml
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
