| Summary: | Erroneous check for reference equality to compare two Strings | ||
|---|---|---|---|
| Product: | Security - Now in JIRA | Reporter: | Jason Halpin <jason.halpin> |
| Component: | Canonicalization | Assignee: | XML Security Developers Mailing List <security-dev> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Windows XP | ||
When using a DOM model which doesn't return an interned String for the default namespace uri in Attr.getNamespaceURI(), the following line fails in org.apache.xml.security.c14n.implementations.Canonicalizer20010315Excl.handleAttributesSubtree(): if (XMLNS_URI!=N.getNamespaceURI()) { ... This allows extraneous namespace declarations to fall thru canonicalization on certain DOM implementations. I don't think there's any requirement that the namespace URI that's returned should be the same reference as the literal string it's being compared against here. Should be : if (!(XMLNS_URI.equals(N.getNamespaceURI())) { ...