You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2011/04/15 18:26:05 UTC
[jira] [Updated] (SANTUARIO-262) Invalid use of String.getBytes()
[ https://issues.apache.org/jira/browse/SANTUARIO-262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated SANTUARIO-262:
------------------------------------------
Affects Version/s: (was: Java 1.5)
Java 1.4.4
Fix Version/s: Java 1.5
Java 1.4.5
> Invalid use of String.getBytes()
> --------------------------------
>
> Key: SANTUARIO-262
> URL: https://issues.apache.org/jira/browse/SANTUARIO-262
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Reporter: Martin Koegler
> Assignee: Colm O hEigeartaigh
> Fix For: Java 1.4.5, Java 1.5
>
> Attachments: encode-upload.patch
>
>
> Various places call String.getBytes() without any encoding. This allows the JRE to use the "plattform" encoding, which can be any (even ISO-8859-1/UTF-8 totally incompatible) encoding - there are such JVMs out there.
> This XML header implicates, that the following bytes stream is in UTF-8, therefore the header must be UTF-8 too:
> diff --git a/src/org/apache/xml/security/utils/XMLUtils.java b/src/org/apache/xml/security/utils/XMLUtils.java
> --- a/src/org/apache/xml/security/utils/XMLUtils.java
> +++ b/src/org/apache/xml/security/utils/XMLUtils.java
> @@ -153,7 +153,7 @@ public class XMLUtils {
>
> try {
> if (addPreamble) {
> - os.write("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n".getBytes());
> + os.write("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n".getBytes("UTF-8"));
> }
>
> os.write(
> RFC 2617 does not specify an encoding for the hashed password, but in practice they are in an ASCII compatible encoding (http://stackoverflow.com/questions/702629/utf-8-characters-mangled-in-http-basic-auth-username):
> diff --git a/src/org/apache/xml/security/utils/resolver/implementations/ResolverDirectHTTP.java b/src/org/apache/xml/security/utils/resolver/implementations/ResolverDirectHTTP.java
> --- a/src/org/apache/xml/security/utils/resolver/implementations/ResolverDirectHTTP.java
> +++ b/src/org/apache/xml/security/utils/resolver/implementations/ResolverDirectHTTP.java
> @@ -161,7 +161,7 @@ public class ResolverDirectHTTP extends ResourceResolverSpi {
>
> if ((proxyUser != null) && (proxyPass != null)) {
> String password = proxyUser + ":" + proxyPass;
> - String encodedPassword = Base64.encode(password.getBytes());
> + String encodedPassword = Base64.encode(password.getBytes("ISO-8859-1"));
>
> // or was it Proxy-Authenticate ?
> urlConnection.setRequestProperty("Proxy-Authorization",
> @@ -190,7 +190,7 @@ public class ResolverDirectHTTP extends ResourceResolverSpi {
>
> String password = user + ":" + pass;
> String encodedPassword =
> - Base64.encode(password.getBytes());
> + Base64.encode(password.getBytes("ISO-8859-1"));
>
> // set authentication property in the http header
> urlConnection.setRequestProperty("Authorization",
> KANonce/OAEPparms are set/returned by the API as byte[] - internally they are converted to/from a string without specifing an encoding.
> Therefore the result is platform dependant. I suggest specifying UTF-8, as UTF-8 is probably used on most plattforms:
> diff --git a/src/org/apache/xml/security/encryption/XMLCipher.java b/src/org/apache/xml/security/encryption/XMLCipher.java
> --- a/src/org/apache/xml/security/encryption/XMLCipher.java
> +++ b/src/org/apache/xml/security/encryption/XMLCipher.java
> @@ -976,7 +976,7 @@ public class XMLCipher {
> encryptedBytes = c.doFinal(serializedOctets.getBytes("UTF-8"));
> logger.debug("Expected cipher.outputSize = " +
> Integer.toString(c.getOutputSize(
> - serializedOctets.getBytes().length)));
> + serializedOctets.getBytes("UTF-8").length)));
> }
> logger.debug("Actual cipher.outputSize = " +
> Integer.toString(encryptedBytes.length));
> @@ -2042,7 +2042,11 @@ public class XMLCipher {
> EncryptionConstants.EncryptionSpecNS,
> EncryptionConstants._TAG_KA_NONCE).item(0);
> if (null != kaNonceElement) {
> - result.setKANonce(kaNonceElement.getNodeValue().getBytes());
> + try {
> + result.setKANonce(kaNonceElement.getNodeValue().getBytes("UTF-8"));
> + } catch(UnsupportedEncodingException e) {
> + throw new XMLEncryptionException("UTF-8 not supported", e);
> + }
> }
> // TODO: ///////////////////////////////////////////////////////////
> // Figure out how to make this pesky line work..
> @@ -2411,8 +2415,12 @@ public class XMLCipher {
> EncryptionConstants.EncryptionSpecNS,
> EncryptionConstants._TAG_OAEPPARAMS).item(0);
> if (null != oaepParamsElement) {
> - result.setOAEPparams(
> - oaepParamsElement.getNodeValue().getBytes());
> + try {
> + result.setOAEPparams(
> + oaepParamsElement.getNodeValue().getBytes("UTF-8"));
> + } catch(UnsupportedEncodingException e) {
> + throw new RuntimeException("UTF-8 not supported", e);
> + }
> }
>
> // TODO: Make this mess work
> @@ -2743,11 +2751,15 @@ public class XMLCipher {
> result.setAttributeNS(
> null, EncryptionConstants._ATT_ALGORITHM, algorithmURI);
> if (null != kaNonce) {
> - result.appendChild(
> - XMLUtils.createElementInEncryptionSpace(
> - _contextDocument,
> - EncryptionConstants._TAG_KA_NONCE)).appendChild(
> - _contextDocument.createTextNode(new String(kaNonce)));
> + try {
> + result.appendChild(
> + XMLUtils.createElementInEncryptionSpace(
> + _contextDocument,
> + EncryptionConstants._TAG_KA_NONCE)).appendChild(
> + _contextDocument.createTextNode(new String(kaNonce, "UTF-8")));
> + } catch(UnsupportedEncodingException e) {
> + throw new RuntimeException("UTF-8 not supported", e);
> + }
> }
> if (!agreementMethodInformation.isEmpty()) {
> Iterator itr = agreementMethodInformation.iterator();
> @@ -3428,11 +3440,15 @@ public class XMLCipher {
> String.valueOf(keySize))));
> }
> if (null != oaepParams) {
> - result.appendChild(
> - XMLUtils.createElementInEncryptionSpace(_contextDocument,
> - EncryptionConstants._TAG_OAEPPARAMS).appendChild(
> - _contextDocument.createTextNode(
> - new String(oaepParams))));
> + try {
> + result.appendChild(
> + XMLUtils.createElementInEncryptionSpace(_contextDocument,
> + EncryptionConstants._TAG_OAEPPARAMS).appendChild(
> + _contextDocument.createTextNode(
> + new String(oaepParams, "UTF-8"))));
> + } catch(UnsupportedEncodingException e) {
> + throw new RuntimeException("UTF-8 not supported", e);
> + }
> }
> Iterator itr = encryptionMethodInformation.iterator();
> while (itr.hasNext()) {
> The default encoding for an XML file is UTF-8 - make behaviour consistant for all plattforms:
> diff --git a/src/org/apache/xml/security/signature/XMLSignatureInput.java b/src/org/apache/xml/security/signature/XMLSignatureInput.java
> --- a/src/org/apache/xml/security/signature/XMLSignatureInput.java
> +++ b/src/org/apache/xml/security/signature/XMLSignatureInput.java
> @@ -147,7 +147,11 @@ public class XMLSignatureInput implements Cloneable {
> * @param inputStr the input String which including XML document or node
> */
> public XMLSignatureInput(String inputStr) {
> - this(inputStr.getBytes());
> + try {
> + this.bytes = inputStr.getBytes("UTF-8");
> + } catch(UnsupportedEncodingException e) {
> + throw new RuntimeException("UTF-8 not supported", e);
> + }
> }
>
> /**
> @@ -614,9 +618,9 @@ public class XMLSignatureInput implements Cloneable {
> // if a not-wellformed nodeset exists, put a container around it...
> ByteArrayOutputStream baos = new ByteArrayOutputStream();
>
> - baos.write("<container>".getBytes());
> + baos.write("<container>".getBytes("UTF-8"));
> baos.write(this.getBytes());
> - baos.write("</container>".getBytes());
> + baos.write("</container>".getBytes("UTF-8"));
>
> byte result[] = baos.toByteArray();
> Document document = db.parse(new ByteArrayInputStream(result));
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira