Bug 42886 - Error when removing encrypted content in 1.4.1
Error when removing encrypted content in 1.4.1
Status: RESOLVED FIXED
Product: Security - Now in JIRA
Classification: Unclassified
Component: Encryption
Java 1.4.1
Macintosh Mac OS X 10.4
: P2 major
: ---
Assigned To: XML Security Developers Mailing List
:
: 41573 (view as bug list)
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2007-07-13 05:37 UTC by Julien Taupin
Modified: 2008-05-12 09:25 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Julien Taupin 2007-07-13 05:37:29 UTC
The methode XMLCipher.removeContent(Node node) should remove all the children of
the given Node. However the loop is written so that only only half of the
children are removed.

This method should be replaced by the removeContent() method of the 1.3 version :
private void removeContent(Node node) {
      NodeList list = node.getChildNodes();
      if (list.getLength() > 0) {
          Node n = list.item(0);
          if (null != n) {
              n.getParentNode().removeChild(n);
          }
          removeContent(node);
      }
    }
Comment 1 sean.mullan 2007-07-13 13:27:08 UTC
Why does the current implementation only remove 1/2? Probably obvious but I
don't see it. Also, I believe your suggested fix would reintroduce 
http://issues.apache.org/bugzilla/show_bug.cgi?id=41573 so we need
to come up with a different approach.
Comment 2 sean.mullan 2007-07-17 14:35:35 UTC
A better fix which avoids the recursive StackOverflow issue with deeply nested
documents is the following:

    private static void removeContent(Node node) {
        while (node.hasChildNodes()) {
            node.removeChild(node.getFirstChild());
        }
    }

I'll plan on putting this fix back very soon.
Comment 3 sean.mullan 2008-02-19 07:01:34 UTC
*** Bug 41573 has been marked as a duplicate of this bug. ***
Comment 4 Gill Bates 2008-02-23 02:39:25 UTC
Error when removing encrypted content in 1.4.1...

no, the plain content is not removed.

That means, document is encrypted, but the plain text is still in the document.
At leas a major bug.
Comment 5 John Wilander 2008-05-06 08:15:22 UTC
This bug doesn't seem to be resolved. The plain text XML is included in the encrypted Document output from XMLCipher.doFinal(). Switching back to 1.4.0 solves the problem for the exact same code.

The potential impact of this bug is severe since testcases and production code might function perfectly while actually omitting plain text XML.

My apologies if I've missed out on some vital information regarding this bug.
Comment 6 sean.mullan 2008-05-06 13:57:46 UTC
(In reply to comment #5)
> This bug doesn't seem to be resolved. The plain text XML is included in the
> encrypted Document output from XMLCipher.doFinal(). Switching back to 1.4.0
> solves the problem for the exact same code.
> 
> The potential impact of this bug is severe since testcases and production code
> might function perfectly while actually omitting plain text XML.
> 
> My apologies if I've missed out on some vital information regarding this bug.


Have you tried the 1.4.2 beta 2 jar? It should be fixed. You can download it 
here: http://people.apache.org/~mullan/dist/xmlsec-1.4.2beta2.jar 
Comment 7 John Wilander 2008-05-07 01:58:05 UTC
Yes, downloading the 1.4.2 beta 2 solves the problem. But it seems odd not to release a new version of an XML security library that sends encrypted XML i plain text, don't you think? The lib is one year old and the bug was reported ten months ago.

I can't find any notes or "known issues" mentioning this serious bug. It might be I'm not into the Apache way of handling such things but imho a note in the Java section under 1.4.1 release would be kind. Perhaps also the link to the beta jar you provided here. My understanding of "resolved" in combination with the version number 1.4.1 is that the issue is solved in 1.4.1.

Anyway, thanks for the help with the beta jar!
Comment 8 sean.mullan 2008-05-12 09:25:49 UTC
(In reply to comment #7)
> Yes, downloading the 1.4.2 beta 2 solves the problem. But it seems odd not to
> release a new version of an XML security library that sends encrypted XML i
> plain text, don't you think? The lib is one year old and the bug was reported
> ten months ago.
> 
> I can't find any notes or "known issues" mentioning this serious bug. It might
> be I'm not into the Apache way of handling such things but imho a note in the
> Java section under 1.4.1 release would be kind. Perhaps also the link to the
> beta jar you provided here. My understanding of "resolved" in combination with
> the version number 1.4.1 is that the issue is solved in 1.4.1.

The version in the bugzilla report is used to indicate which version of the software contains the bug (in this case 1.4.1). There doesn't seem to be a field for indicating which release contains the fix (which is odd for a bug reporting system, but anyway), so the best way to find that information is to check either the CHANGELOG.txt file in the release bundle or http://santuario.apache.org/changes.html

> Anyway, thanks for the help with the beta jar!

Thanks for testing. I agree that this issue is serious and I will make a note of that in the documentation and encourage users to use 1.4.2 when it is released (soon).