You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2006/10/26 15:36:11 UTC
DO NOT REPLY [Bug 40819] New: - NPE in IdResolver
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40819>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40819
Summary: NPE in IdResolver
Product: Security
Version: unspecified
Platform: PC
OS/Version: Linux
Status: NEW
Severity: regression
Priority: P2
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: info@frankcornelis.be
xmlsec-1.4.RC3 gives an NPE in IdResolver. xmlsec-1.4.beta2 did not do this.
java.lang.NullPointerException
at org.apache.xml.security.utils.IdResolver.isElement(IdResolver.java:237)
at org.apache.xml.security.utils.IdResolver.getEl(IdResolver.java:198)
at
org.apache.xml.security.utils.IdResolver.getElementBySearching(IdResolver.java:176)
at org.apache.xml.security.utils.IdResolver.getElementById(IdResolver.java:117)
at
org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolve(ResolverFragment.java:88)
at
org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:259)
at
org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Reference.java:400)
at
org.apache.xml.security.signature.Reference.dereferenceURIandPerformTransforms(Reference.java:612)
at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:689)
at
org.apache.xml.security.signature.Reference.generateDigestValue(Reference.java:364)
at
org.apache.xml.security.signature.Manifest.generateDigestValues(Manifest.java:180)
at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:491)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40819] - NPE in IdResolver
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40819>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40819
------- Additional Comments From zkovacevic@gmx.de 2007-03-08 04:56 -------
For DOM Level 1 *NS methods doesn't work.
For me I applied following fix:
was:
String name=n.getLocalName();
if (name.length()>2)
now:
String name = n.getNodeName();
int x = name.length()-Math.max(name.indexOf(':'), 0)-1;
if (x>2)
(In reply to comment #4)
> (In reply to comment #3)
> > You must always use *NS methods, The non *NS methods should dia a horrible
> death.
> > Also the code that is throwing the exception has not changed so I suppose it
> > also happens in 1.4.beta2 and even 1.3.
> > I can prevent the NPE but it will silently fail and will never find a element.
> > The only sensible thing is to throw an exception when localName is null (i.e.
> > has be done with non NS member).
> > The problem is that then we should fill the code in several other parts with
> > this check, to be consistent.
>
> Why don�t you use both Attr APIs (i.e. getLocalName and getName)? This way, if
> getLocalName returns null for DOM1 cases or non qualified attributes, you could
> use getName for backward compatibility.
>
> Greetings,
> Jorge.
> > What do you all think?
> > Anyway I downgrade the severity of the bug.
>
>
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40819] - NPE in IdResolver
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40819>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40819
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
------- Additional Comments From sean.mullan@sun.com 2007-09-19 12:20 -------
Closing old bugs.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40819] - NPE in IdResolver
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40819>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40819
------- Additional Comments From info@frankcornelis.be 2006-10-26 09:01 -------
It happens when I use the following during the construction of the DOM document
that I'm about to sign:
anElement.setAttribute("Id", id);
instead of:
anElement.setAttributeNS(null, "Id", id);
Probably my code should use the "setAttributeNS(null" setter???
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40819] - NPE in IdResolver
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40819>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40819
------- Additional Comments From jorge.nevado@ericsson.com 2007-02-05 03:51 -------
(In reply to comment #3)
> You must always use *NS methods, The non *NS methods should dia a horrible
death.
> Also the code that is throwing the exception has not changed so I suppose it
> also happens in 1.4.beta2 and even 1.3.
> I can prevent the NPE but it will silently fail and will never find a element.
> The only sensible thing is to throw an exception when localName is null (i.e.
> has be done with non NS member).
> The problem is that then we should fill the code in several other parts with
> this check, to be consistent.
Why don�t you use both Attr APIs (i.e. getLocalName and getName)? This way, if
getLocalName returns null for DOM1 cases or non qualified attributes, you could
use getName for backward compatibility.
Greetings,
Jorge.
> What do you all think?
> Anyway I downgrade the severity of the bug.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40819] - NPE in IdResolver
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40819>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40819
raul-info@r-bg.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From raul-info@r-bg.com 2007-03-08 05:24 -------
Sorry guys DOM level1 is a dinosaur that should rest in peace. Get better
implementations & use the newer api. If we patch to make it works here, you are
going to have unreliable canonicalization because the process only use *NS methods.
Is a known and reasonable limitation that we will not fix.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40819] - NPE in IdResolver
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40819>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40819
raul-info@r-bg.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|regression |minor
------- Additional Comments From raul-info@r-bg.com 2006-10-26 11:26 -------
You must always use *NS methods, The non *NS methods should dia a horrible death.
Also the code that is throwing the exception has not changed so I suppose it
also happens in 1.4.beta2 and even 1.3.
I can prevent the NPE but it will silently fail and will never find a element.
The only sensible thing is to throw an exception when localName is null (i.e.
has be done with non NS member).
The problem is that then we should fill the code in several other parts with
this check, to be consistent.
What do you all think?
Anyway I downgrade the severity of the bug.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40819] - NPE in IdResolver
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40819>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40819
raul-info@r-bg.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
------- Additional Comments From raul-info@r-bg.com 2006-10-26 06:56 -------
Looks really bad,
Can you send also the signature that is failing?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.