-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 1.0, 1.1, 1.2, 1.2.1, 1.2.2, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.4, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.5.6, 1.6.1, 1.6.2, 1.6.3
-
Fix Version/s: 1.6.4
-
Component/s: Marshalling / Unmarshalling
-
Labels:None
An outside tester demonstrated that a similar attack to the DTD issue allows comments to be inserted without breaking a signature if the c14n method excludes them. This similarly corrupts the text content surfaced by the library.
The "simple" fix for this would appear to be to ignore comments with the parser, which happens to be the default behavior of the Java library. The impact would likely be twofold:
- serialization of metadata for backups would strip comments
- metadata with comments signed using c14n methods that include them would not verify
We presume the latter has not been a practice we see with the IdP, so presumably wouldn't be common with the SP.
