Summary: | String comparisons using '==' causes validation errors with some parsers | ||
---|---|---|---|
Product: | Security - Now in JIRA | Reporter: | Vishal Mahajan <vmahajan> |
Component: | Signature | Assignee: | XML Security Developers Mailing List <security-dev> |
Status: | RESOLVED FIXED | ||
Severity: | blocker | CC: | ashundi, iyappanr, jason.halpin, robertegglestone, sssivasankari |
Priority: | P1 | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All | ||
Bug Depends on: | |||
Bug Blocks: | 45637 | ||
Attachments: | First draft for a pluggable string checker. |
Description
Vishal Mahajan
2006-11-05 07:06:11 UTC
Created attachment 21336 [details]
First draft for a pluggable string checker.
Please take a look a the patch, I want feed back on the solution.Also I don't
have anyother DOM parser that don't intern namespaces, this should fix the
problem, but perhaps there are more places where this problem arise.
I've run into this problem while running under WebLogic (the same app runs fine on Tomcat). Would it be possible to do a quick == comparison, and then only do .equals if it fails? Would interning all namespaces mean that an attacker could cause the server to run out of memory by sending requests which contain lots of random namespaces? Can this be a case of "the flawed microbenchmark". (google it). .equals is slower but on the whole operation (signing, encryption, etc) the XML time is mostly spent on parsing and serialization I would guess. And I'm skipping the cryptographic primitives... I wonder what the test case is. (In reply to comment #3) > Can this be a case of "the flawed microbenchmark". (google it). .equals is > slower but on the whole operation (signing, encryption, etc) the XML time is > mostly spent on parsing and serialization I would guess. And I'm skipping the > cryptographic primitives... > > I wonder what the test case is. > I have do a lot of benchamark and really this is a huge improve. I can tell you why but it will be a big post. And I have do my exercises, and i benchmark the whole operation. Anyway 2 releases ago it was plain impossible to use another parser than xerces (and really a concrete one), we have improve it til the way that now, only this is possible and works with different ones that intern namespaces. Anyway i think that sadly for a fully spec compliant there is no other options than a special xalan+xerces (for xpath transformations). But I still that if a parser doesn't intern namespaces will be hit by a lot of just a difference in the end, that happens with versioning in xml. I just create the patch in order to disable the NS comparison. *** Bug 45573 has been marked as a duplicate of this bug. *** *** Bug 46681 has been marked as a duplicate of this bug. *** In rev 1023243 I committed an update that I believe catches all the places that == is used for string comparisons and replaces it with equals(). I also deprecated org.apache.xml.security.utils.ElementChecker and org.apache.xml.security.utils.ElementCheckerImpl which were used to attempt to hide the difference between equals() and == This should resolve this issues unless I missed an occurrence. It would be really helpful if those individuals who commented on this issues who are not using Xerces could run unit test org.apache.xml.security.test.c14n.implementations.Canonicalizer20010315ExclusiveTest and let us know if this issue isn't resolved. *** Bug 48681 has been marked as a duplicate of this bug. *** |