You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by mu...@apache.org on 2013/11/04 20:09:18 UTC
svn commit: r1538722 -
/santuario/xml-security-java/trunk/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java
Author: mullan
Date: Mon Nov 4 19:09:18 2013
New Revision: 1538722
URL: http://svn.apache.org/r1538722
Log:
Guard against RetrievalMethod loops when secure validation prop is enabled.
Modified:
santuario/xml-security-java/trunk/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java?rev=1538722&r1=1538721&r2=1538722&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java Mon Nov 4 19:09:18 2013
@@ -224,6 +224,21 @@ public final class DOMRetrievalMethod ex
} catch (Exception e) {
throw new URIReferenceException(e);
}
+
+ // guard against RetrievalMethod loops
+ if (data instanceof NodeSetData && Utils.secureValidation(context)) {
+ NodeSetData nsd = (NodeSetData)data;
+ Iterator i = nsd.iterator();
+ if (i.hasNext()) {
+ Node root = (Node)i.next();
+ if ("RetrievalMethod".equals(root.getLocalName())) {
+ throw new URIReferenceException(
+ "It is forbidden to have one RetrievalMethod point " +
+ "to another when secure validation is enabled");
+ }
+ }
+ }
+
return data;
}