You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by sc...@apache.org on 2013/06/18 00:26:41 UTC

svn commit: r1493959 - in /santuario/xml-security-cpp/trunk/xsec/dsig: DSIGReference.cpp DSIGSignedInfo.cpp

Author: scantor
Date: Mon Jun 17 22:26:41 2013
New Revision: 1493959

URL: http://svn.apache.org/r1493959
Log:
CVE-2013-2153, CVE-2013-2154

Modified:
    santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp
    santuario/xml-security-cpp/trunk/xsec/dsig/DSIGSignedInfo.cpp

Modified: santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp?rev=1493959&r1=1493958&r2=1493959&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp Mon Jun 17 22:26:41 2013
@@ -516,17 +516,15 @@ TXFMBase * DSIGReference::getURIBaseTXFM
 		}
 
 		else if (URI[9] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen &&
-			     URI[10] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_i &&
-				 URI[11] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_d &&
-				 URI[12] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen &&
-				 URI[13] == XERCES_CPP_NAMESPACE_QUALIFIER chSingleQuote) {
+				URI[10] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_i &&
+				URI[11] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_d &&
+				URI[12] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen &&
+				URI[13] == XERCES_CPP_NAMESPACE_QUALIFIER chSingleQuote) {
 
 			xsecsize_t len = XMLString::stringLen(&URI[14]);
 
-			XMLCh tmp[512];
-
-			if (len > 511)
-				len = 511;
+			XMLCh* tmp = new XMLCh[len + 1];
+			ArrayJanitor<XMLCh> j_tmp(tmp);
 
 			xsecsize_t j = 14, i = 0;
 
@@ -630,9 +628,14 @@ void DSIGReference::load(void) {
 	// Now check for Transforms
 	tmpElt = mp_referenceNode->getFirstChild();
 
-	while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE))
+	while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) {
+		if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+			throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+				"EntityReference nodes in <Reference> are unsupported.");
+		}
 		// Skip text and comments
 		tmpElt = tmpElt->getNextSibling();
+	}
 
 	if (tmpElt == 0) {
 
@@ -651,13 +654,19 @@ void DSIGReference::load(void) {
 
 		// Find next node
 		tmpElt = tmpElt->getNextSibling();
-		while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE))
+		while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) {
+			if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+				throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+					"EntityReference nodes in <Reference> are unsupported.");
+			}
 			tmpElt = tmpElt->getNextSibling();
+		}
 
 
 	} /* if tmpElt node type = transforms */
-	else
+	else {
 		mp_transformList = NULL;
+	}
 
 
 	if (tmpElt == NULL || !strEquals(getDSIGLocalName(tmpElt), "DigestMethod")) {
@@ -692,8 +701,14 @@ void DSIGReference::load(void) {
 
 	tmpElt = tmpElt->getNextSibling();
 
-	while (tmpElt != 0 && !(strEquals(getDSIGLocalName(tmpElt), "DigestValue")))
+	while (tmpElt != 0 &&
+		(tmpElt->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(tmpElt), "DigestValue"))) {
+		if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+			throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+				"EntityReference nodes in <Reference> are unsupported.");
+		}
 		tmpElt = tmpElt->getNextSibling();
+	}
 
 	if (tmpElt == 0) {
 
@@ -731,8 +746,13 @@ void DSIGReference::load(void) {
 
 			// Find Manifest child
 			manifestNode = manifestNode->getFirstChild();
-			while (manifestNode != 0 && manifestNode->getNodeType() != DOMNode::ELEMENT_NODE)
+			while (manifestNode != 0 && manifestNode->getNodeType() != DOMNode::ELEMENT_NODE) {
+				if (manifestNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+					throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+						"EntityReference nodes in <Reference> are unsupported.");
+				}
 				manifestNode = manifestNode->getNextSibling();
+			}
 
 			if (manifestNode == 0 || !strEquals(getDSIGLocalName(manifestNode), "Manifest"))
 				throw XSECException(XSECException::ExpectedDSIGChildNotFound,
@@ -743,8 +763,14 @@ void DSIGReference::load(void) {
 		// Now have the manifest node, find the first reference and load!
 		referenceNode = manifestNode->getFirstChild();
 
-		while (referenceNode != 0 && !strEquals(getDSIGLocalName(referenceNode), "Reference"))
+		while (referenceNode != 0 &&
+			(referenceNode->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(referenceNode), "Reference"))) {
+			if (referenceNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+				throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+					"EntityReference nodes in <Reference> are unsupported.");
+			}
 			referenceNode = referenceNode->getNextSibling();
+		}
 
 		if (referenceNode == 0)
 			throw XSECException(XSECException::ExpectedDSIGChildNotFound,
@@ -797,8 +823,13 @@ DSIGReferenceList *DSIGReference::loadRe
 		// Find next element Node
 		tmpRef = tmpRef->getNextSibling();
 
-		while (tmpRef != 0 && tmpRef->getNodeType() != DOMNode::ELEMENT_NODE)
+		while (tmpRef != 0 && tmpRef->getNodeType() != DOMNode::ELEMENT_NODE) {
+			if (tmpRef->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+				throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+					"EntityReference nodes in <Reference> are unsupported.");
+			}
 			tmpRef = tmpRef->getNextSibling();
+		}
 
 	}
 

Modified: santuario/xml-security-cpp/trunk/xsec/dsig/DSIGSignedInfo.cpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/dsig/DSIGSignedInfo.cpp?rev=1493959&r1=1493958&r2=1493959&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/dsig/DSIGSignedInfo.cpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/dsig/DSIGSignedInfo.cpp Mon Jun 17 22:26:41 2013
@@ -299,9 +299,14 @@ void DSIGSignedInfo::load(void) {
 
 	// Check for CanonicalizationMethod
 
-	while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE))
+	while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) {
+		if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+			throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+				"EntityReference nodes in <SignedInfo> are unsupported.");
+		}
 		// Skip text and comments
 		tmpSI = tmpSI->getNextSibling();
+	}
 
 	if (tmpSI == 0 || !strEquals(getDSIGLocalName(tmpSI), "CanonicalizationMethod")) {
 
@@ -362,17 +367,23 @@ void DSIGSignedInfo::load(void) {
 
 	}
 
-	else
+	else {
 
 		throw XSECException(XSECException::UnknownCanonicalization);
+	}
 
 	// Now load the SignatureMethod
 
 	tmpSI = tmpSI->getNextSibling();
 
-	while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE))
+	while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) {
+		if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+			throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+				"EntityReference nodes in <SignedInfo> are unsupported.");
+		}
 		// Skip text and comments
 		tmpSI = tmpSI->getNextSibling();
+	}
 
 	if (tmpSI == 0 || !strEquals(getDSIGLocalName(tmpSI), "SignatureMethod")) {
 
@@ -406,10 +417,14 @@ void DSIGSignedInfo::load(void) {
 	 * longer know at this point if this is an HMAC, we need to check. */
 
 	DOMNode *tmpSOV = tmpSI->getFirstChild();
-	while (tmpSOV != NULL && 
-		tmpSOV->getNodeType() != DOMNode::ELEMENT_NODE && 
-		!strEquals(getDSIGLocalName(tmpSOV), "HMACOutputLength"))
+	while (tmpSOV != NULL &&
+		(tmpSOV->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(tmpSOV), "HMACOutputLength"))) {
+		if (tmpSOV->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+			throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+				"EntityReference nodes in <SignedInfo> are unsupported.");
+		}
 		tmpSOV = tmpSOV->getNextSibling();
+	}
 
 	if (tmpSOV != NULL) {
 
@@ -433,9 +448,14 @@ void DSIGSignedInfo::load(void) {
 
 	// Run through the rest of the elements until done
 
-	while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE))
+	while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) {
+		if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+			throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+				"EntityReference nodes in <SignedInfo> are unsupported.");
+		}
 		// Skip text and comments
 		tmpSI = tmpSI->getNextSibling();
+	}
 
 	if (tmpSI != NULL) {