Right on the point, Scott. Suppose an application always calls IdResolver.registerElementById() before validating the signature, then the exhaustive search shouldn't be necessary, correct?
I'm wondering if it's possible to remove the call to IdResolver.getElementBySearching in xml sec library? Yang On Wed, Nov 16, 2011 at 9:41 AM, Cantor, Scott <[email protected]> wrote: > On 11/16/11 12:37 PM, "Yang Yu" <[email protected]> wrote: > > >In org.apache.xml.security.utils.IdResolver.getElementById(Document doc, > >String id), I'm wondering why it's necessary to do a exhaustive search by > >calling: > > > >result = IdResolver.getElementBySearching(doc, id); > > > >Do you see any harm if I comment out this line? Because I notice that the > >Element is always found by the first call: > > > >Element result = IdResolver.getElementByIdType(doc, id); > > IDness is an extremely complex issue. Unless you have schema validation, > or extensive content knowledge, you can't know what IDs are present, and > getElementById won't succeed. > > But in turn, searching for Ids is, in general, wrong. It's essentially > insecure, and if there's still a feature doing that by default, there's a > bug. The wrapping attacks proved that once and for all (I hope). > > -- Scott > >
