You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by mu...@apache.org on 2022/03/09 15:55:55 UTC
[santuario-xml-security-java] branch 2.3.x-fixes updated: Fix issue when parsing invalid xpointer URI. Code now throws XMLSignatureException instead of StringIndexOutOfBoundsException.
This is an automated email from the ASF dual-hosted git repository.
mullan pushed a commit to branch 2.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git
The following commit(s) were added to refs/heads/2.3.x-fixes by this push:
new 629d71e Fix issue when parsing invalid xpointer URI. Code now throws XMLSignatureException instead of StringIndexOutOfBoundsException.
629d71e is described below
commit 629d71eab12b3d518bf932c90629025f5a4296ce
Author: Sean Mullan <se...@oracle.com>
AuthorDate: Wed Mar 9 10:55:09 2022 -0500
Fix issue when parsing invalid xpointer URI. Code now throws
XMLSignatureException instead of StringIndexOutOfBoundsException.
---
.../xml/dsig/internal/dom/DOMURIDereferencer.java | 4 ++-
.../apache/jcp/xml/dsig/internal/dom/Utils.java | 4 ++-
.../xml/crypto/test/dsig/XMLSignatureTest.java | 33 ++++++++++++++++++++++
3 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java
index b5594c5..4050353 100644
--- a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java
+++ b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMURIDereferencer.java
@@ -73,7 +73,9 @@ public final class DOMURIDereferencer implements URIDereferencer {
if (id.startsWith("xpointer(id(")) {
int i1 = id.indexOf('\'');
int i2 = id.indexOf('\'', i1+1);
- id = id.substring(i1+1, i2);
+ if (i1 >= 0 && i2 >= 0) {
+ id = id.substring(i1 + 1, i2);
+ }
}
Node referencedElem = dcc.getElementById(id);
diff --git a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/Utils.java b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/Utils.java
index 10817f0..b40b950 100644
--- a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/Utils.java
+++ b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/Utils.java
@@ -90,7 +90,9 @@ public final class Utils {
if (id.startsWith("xpointer(id(")) {
int i1 = id.indexOf('\'');
int i2 = id.indexOf('\'', i1+1);
- id = id.substring(i1+1, i2);
+ if (i1 >= 0 && i2 >= 0) {
+ id = id.substring(i1 + 1, i2);
+ }
}
return id;
}
diff --git a/src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java b/src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java
index ae46e3b..dd0ed25 100644
--- a/src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java
+++ b/src/test/java/javax/xml/crypto/test/dsig/XMLSignatureTest.java
@@ -27,10 +27,12 @@ import java.util.*;
import java.security.*;
import javax.xml.crypto.URIDereferencer;
+import javax.xml.crypto.URIReferenceException;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dsig.keyinfo.*;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
+import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.crypto.spec.SecretKeySpec;
@@ -403,6 +405,37 @@ public class XMLSignatureTest {
assertTrue(sig.validate(validateContext));
}
+ @org.junit.jupiter.api.Test
+ public void testBadXPointer() throws Exception {
+ Document doc = TestUtils.newDocument();
+ Element root = doc.createElementNS(null, "Root");
+ SignatureMethod sm = SIG_METHODS[1];
+ CanonicalizationMethod cm = fac.newCanonicalizationMethod(
+ CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec)null);
+ DigestMethod dm = fac.newDigestMethod(DigestMethod.SHA256, null);
+ Transform tr = fac.newTransform(
+ Transform.ENVELOPED, (TransformParameterSpec)null);
+ KeyInfo ki = kifac.newKeyInfo(Collections.singletonList
+ (kifac.newKeyValue((PublicKey)VALIDATE_KEYS[1])));
+ XMLObject xo = fac.newXMLObject(
+ Collections.singletonList(new DOMStructure(root)), "a", null, null);
+ SignedInfo si = fac.newSignedInfo(cm, sm,
+ Collections.singletonList(fac.newReference("#xpointer(id('a))",
+ dm, Collections.singletonList(tr), null, null)));
+ XMLSignature sig = fac.newXMLSignature(si, ki,
+ Collections.singletonList(xo), id, sigValueId);
+ XMLSignContext signContext = new DOMSignContext(SIGN_KEYS[1], doc);
+ try {
+ sig.sign(signContext);
+ throw new Exception("Failed: expected XMLSignatureException");
+ } catch (XMLSignatureException xse) {
+ if (!(xse.getCause() instanceof URIReferenceException) &&
+ !(xse.getMessage().contains("Could not find a resolver"))) {
+ throw new Exception("Failed: wrong cause or reason", xse);
+ }
+ }
+ }
+
private SignedInfo createSignedInfo(SignatureMethod sm) throws Exception {
// set up the building blocks
CanonicalizationMethod cm = fac.newCanonicalizationMethod