| Summary: | Error when removing encrypted content in 1.4.1 | ||
|---|---|---|---|
| Product: | Security - Now in JIRA | Reporter: | Julien Taupin <julien.taupin> |
| Component: | Encryption | Assignee: | XML Security Developers Mailing List <security-dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | mjablon |
| Priority: | P2 | ||
| Version: | Java 1.4.1 | ||
| Target Milestone: | --- | ||
| Hardware: | Macintosh | ||
| OS: | Mac OS X 10.4 | ||
Why does the current implementation only remove 1/2? Probably obvious but I don't see it. Also, I believe your suggested fix would reintroduce http://issues.apache.org/bugzilla/show_bug.cgi?id=41573 so we need to come up with a different approach. A better fix which avoids the recursive StackOverflow issue with deeply nested
documents is the following:
private static void removeContent(Node node) {
while (node.hasChildNodes()) {
node.removeChild(node.getFirstChild());
}
}
I'll plan on putting this fix back very soon.
*** Bug 41573 has been marked as a duplicate of this bug. *** Error when removing encrypted content in 1.4.1... no, the plain content is not removed. That means, document is encrypted, but the plain text is still in the document. At leas a major bug. This bug doesn't seem to be resolved. The plain text XML is included in the encrypted Document output from XMLCipher.doFinal(). Switching back to 1.4.0 solves the problem for the exact same code. The potential impact of this bug is severe since testcases and production code might function perfectly while actually omitting plain text XML. My apologies if I've missed out on some vital information regarding this bug. (In reply to comment #5) > This bug doesn't seem to be resolved. The plain text XML is included in the > encrypted Document output from XMLCipher.doFinal(). Switching back to 1.4.0 > solves the problem for the exact same code. > > The potential impact of this bug is severe since testcases and production code > might function perfectly while actually omitting plain text XML. > > My apologies if I've missed out on some vital information regarding this bug. Have you tried the 1.4.2 beta 2 jar? It should be fixed. You can download it here: http://people.apache.org/~mullan/dist/xmlsec-1.4.2beta2.jar Yes, downloading the 1.4.2 beta 2 solves the problem. But it seems odd not to release a new version of an XML security library that sends encrypted XML i plain text, don't you think? The lib is one year old and the bug was reported ten months ago. I can't find any notes or "known issues" mentioning this serious bug. It might be I'm not into the Apache way of handling such things but imho a note in the Java section under 1.4.1 release would be kind. Perhaps also the link to the beta jar you provided here. My understanding of "resolved" in combination with the version number 1.4.1 is that the issue is solved in 1.4.1. Anyway, thanks for the help with the beta jar! (In reply to comment #7) > Yes, downloading the 1.4.2 beta 2 solves the problem. But it seems odd not to > release a new version of an XML security library that sends encrypted XML i > plain text, don't you think? The lib is one year old and the bug was reported > ten months ago. > > I can't find any notes or "known issues" mentioning this serious bug. It might > be I'm not into the Apache way of handling such things but imho a note in the > Java section under 1.4.1 release would be kind. Perhaps also the link to the > beta jar you provided here. My understanding of "resolved" in combination with > the version number 1.4.1 is that the issue is solved in 1.4.1. The version in the bugzilla report is used to indicate which version of the software contains the bug (in this case 1.4.1). There doesn't seem to be a field for indicating which release contains the fix (which is odd for a bug reporting system, but anyway), so the best way to find that information is to check either the CHANGELOG.txt file in the release bundle or http://santuario.apache.org/changes.html > Anyway, thanks for the help with the beta jar! Thanks for testing. I agree that this issue is serious and I will make a note of that in the documentation and encourage users to use 1.4.2 when it is released (soon). |
The methode XMLCipher.removeContent(Node node) should remove all the children of the given Node. However the loop is written so that only only half of the children are removed. This method should be replaced by the removeContent() method of the 1.3 version : private void removeContent(Node node) { NodeList list = node.getChildNodes(); if (list.getLength() > 0) { Node n = list.item(0); if (null != n) { n.getParentNode().removeChild(n); } removeContent(node); } }