Uploaded image for project: 'Santuario'
  1. Santuario
  2. SANTUARIO-299

StringIndexOutOfBoundsException is thrown during reference verification (if URI = "#")

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • Java 1.4.6, Java 1.5
    • Java 1.4.7, Java 1.5.1
    • Java
    • Security Level: Public (Public issues, viewable by everyone)
    • None

    Description

      StringIndexOutOfBoundsException is thrown during reference verification (if Reference contains URI = "#"):

      java.lang.StringIndexOutOfBoundsException: String index out of range: 1
      at java.lang.String.charAt(String.java:686)
      at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineCanResolve(ResolverFragment.java:133)
      at org.apache.xml.security.utils.resolver.ResourceResolver.canResolve(ResourceResolver.java:338)
      at org.apache.xml.security.utils.resolver.ResourceResolver.getInstance(ResourceResolver.java:107)
      at org.apache.xml.security.utils.resolver.ResourceResolver.getInstance(ResourceResolver.java:183)
      at org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Reference.java:417)
      at org.apache.xml.security.signature.Reference.dereferenceURIandPerformTransforms(Reference.java:614)
      at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:705)
      at org.apache.xml.security.signature.Reference.verify(Reference.java:761)
      at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:336)
      at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:281)

      Method org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineCanResolve(...) code:

      if (uriNodeValue.equals("") ||
      ((uriNodeValue.charAt(0) == '#')
      && !((uriNodeValue.charAt(1) == 'x') && uriNodeValue.startsWith("#xpointer(")))
      ) {
      if (log.isDebugEnabled())

      { log.debug("State I can resolve reference: \"" + uriNodeValue + "\""); }

      return true;
      }
      is unsafe, since charAt(1) may not exist.

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            coheigea Colm O hEigeartaigh
            adomas Adomas Birstunas
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment