You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by bu...@apache.org on 2010/08/05 16:16:08 UTC

DO NOT REPLY [Bug 49710] New: exc-c14n damages namespaces of XML

https://issues.apache.org/bugzilla/show_bug.cgi?id=49710

           Summary: exc-c14n damages namespaces of XML
           Product: Security
           Version: Java 1.4.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Canonicalization
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: aklitzing@gmail.com


The canonicalizer (java) with exc-c14n produces an invalid XML document here.
It removes a namespace from an attribute that is still used in that element. It
attach an example xsd and xml file.
If I use canonicalize this xml file with exc-c14n it will remove the namespace
xmlns:xs="http://www.w3.org/2001/XMLSchema". So the attribute
ns:type="xs:string" won't be valid afterwards.
Even if I add the namespace to the root element (bla:document) it will be
removed.

Validated with xmllint --noout --schema example.xsd example.xml

Is this really correct for this canonicalization method to damage the xml file?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 49710] exc-c14n damages namespaces of XML

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49710

Scott Cantor <ca...@osu.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #5 from Scott Cantor <ca...@osu.edu> 2010-08-05 10:37:34 EDT ---
Your example is not a bug. Exclusive c14n does not handle namespace prefixes
found in QName content, including xsi:type attributes. If you have such cases,
you have to force inclusive mode using the InclusivePrefix list.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Re: DO NOT REPLY [Bug 49710] New: exc-c14n damages namespaces of XML

Posted by Chad La Joie <la...@itumi.biz>.

Sean, Colm could you please hold off on doing any changes to the 
Canonicalizers for a day or two.  Those were the classes that most 
heavily used the == so I have some local changes here that I'll be 
submitting a patch for quite soon.

On 8/5/10 10:16 AM, bugzilla@apache.org wrote:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49710
>
>             Summary: exc-c14n damages namespaces of XML
>             Product: Security
>             Version: Java 1.4.2
>            Platform: All
>          OS/Version: All
>              Status: NEW
>            Severity: normal
>            Priority: P2
>           Component: Canonicalization
>          AssignedTo: security-dev@xml.apache.org
>          ReportedBy: aklitzing@gmail.com
>
>
> The canonicalizer (java) with exc-c14n produces an invalid XML document here.
> It removes a namespace from an attribute that is still used in that element. It
> attach an example xsd and xml file.
> If I use canonicalize this xml file with exc-c14n it will remove the namespace
> xmlns:xs="http://www.w3.org/2001/XMLSchema". So the attribute
> ns:type="xs:string" won't be valid afterwards.
> Even if I add the namespace to the root element (bla:document) it will be
> removed.
>
> Validated with xmllint --noout --schema example.xsd example.xml
>
> Is this really correct for this canonicalization method to damage the xml file?
>

-- 
Chad La Joie
http://itumi.biz
trusted identities, delivered

DO NOT REPLY [Bug 49710] exc-c14n damages namespaces of XML

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49710

--- Comment #2 from AK <ak...@gmail.com> 2010-08-05 10:20:16 EDT ---
Created an attachment (id=25846)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25846)
XML File

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 49710] exc-c14n damages namespaces of XML

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49710

--- Comment #1 from AK <ak...@gmail.com> 2010-08-05 10:18:01 EDT ---
Created an attachment (id=25845)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25845)
XML Schema

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 49710] exc-c14n damages namespaces of XML

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49710

--- Comment #4 from AK <ak...@gmail.com> 2010-08-05 10:33:16 EDT ---
damaged.xml:4: element value: Schemas validity error : Element
'{http://test/1.0}value', attribute
'{http://www.w3.org/2001/XMLSchema-instance}type': The QName value 'xs:string'
has no corresponding namespace declaration in scope.

damaged.xml fails to validate

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 49710] exc-c14n damages namespaces of XML

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49710

--- Comment #3 from AK <ak...@gmail.com> 2010-08-05 10:21:22 EDT ---
Created an attachment (id=25847)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25847)
XML File (after canonicalization - invalid in schema checking)

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.