You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2007/01/25 16:16:41 UTC
DO NOT REPLY [Bug 41462] New: - Xml canonization - UTF-8 encoding issue in Xml security 1.4.0
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41462>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41462
Summary: Xml canonization - UTF-8 encoding issue in Xml security
1.4.0
Product: Security
Version: unspecified
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: critical
Priority: P1
Component: Canonicalization
AssignedTo: security-dev@xml.apache.org
ReportedBy: karol.rewera@vsoft.pl
Overview Description:
Implementation of c14n canonization method generates wrong canonical form of Xml
document with latin characters.
Steps to Reproduce:
Generate canonical form of Xml document witch contains latin characters using
Canonicalizer20010315OmitComments class and compare it with canonical form
generated with Stylus Studio 2007 or Microsoft.NET 2.0.
Actual Results:
Canonicalizer20010315OmitComments class generates canonical form of Xml document
with latin characters encoded in a wrong way.
The problem is caused by wrong recognition if character is represented with one
or many bytes in file "CanonicalizerBase.java" in method static final void
outputTextToWriter(final String text, final OutputStream writer) in line 829
("if ((c & 0x80) ==0)")
Example:
let c = 0x15B //(int)c gives 347, a character 'ś'
c & 0x80 == 0 is true so c is written to OutputStream as single byte 0x5B - '['
character (line 830).
As a result canonical form of input Xml document is generated in a wrong way.
Wrong canonical form causes interoperability problems in verifying digital
signature of files generated with libraries of other vendors.
Expected Results:
Xml security libraries for Apache should generate correct canonical form of Xml
documents which contains latin characters.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 41462] - Xml canonization - UTF-8 encoding issue in Xml security 1.4.0
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41462>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41462
raul-info@r-bg.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |lijun.liao@gmail.com
------- Additional Comments From raul-info@r-bg.com 2007-03-09 06:03 -------
*** Bug 41472 has been marked as a duplicate of this bug. ***
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 41462] - Xml canonization - UTF-8 encoding issue in Xml security 1.4.0
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41462>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41462
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |matej@setcce.org
------- Additional Comments From sean.mullan@sun.com 2007-03-20 09:47 -------
*** Bug 41846 has been marked as a duplicate of this bug. ***
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 41462] - Xml canonization - UTF-8 encoding issue in Xml security 1.4.0
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41462>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41462
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
------- Additional Comments From sean.mullan@sun.com 2007-09-19 12:24 -------
Closing old bugs. Fixed in 1.4.1
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 41462] - Xml canonization - UTF-8 encoding issue in Xml security 1.4.0
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41462>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41462
raul-info@r-bg.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From raul-info@r-bg.com 2007-03-09 06:02 -------
Fixed in SVN head, please check it.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 41462] - Xml canonization - UTF-8 encoding issue in Xml security 1.4.0
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41462>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41462
------- Additional Comments From jdmarshall@gmail.com 2007-02-22 12:53 -------
This is a pretty awful bug. This will block me from being able to deploy 1.4.0,
which I need to deal with the race condition in the X509 code.
Has anyone figured out a workaround for this bug yet?
>From looking at the code, I think the submitter has it right here. This line he
mentions below introduces the bug, and it was added in 1.4.
A better option perhaps would be to achieve this optimization another way: let
Hotspot do it for you.
In many cases, such as exactly this scenario here, you have a method that has a
frequently-executed conditional block at the top that uses a cheap, happy path
(or short circuits). However, Hotspot only inlines very short methods, so the
method call is preserved. (Can JDK 6.0 do partial inlining? I don't honestly
know). So what some clever folks figured out is that if you factor out the
'long path' into another method, then Hotspot will frequently inline the
short-circuit logic into the caller.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.