jdk/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/implementations/ResolverFragment.java
--- a/jdk/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/implementations/ResolverFragment.java Tue Apr 09 12:05:27 2013 +0400
+++ b/jdk/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/implementations/ResolverFragment.java Mon Apr 22 11:23:33 2013 +0100
@@ -23,11 +23,12 @@
import com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput;
-import com.sun.org.apache.xml.internal.security.utils.IdResolver;
+import com.sun.org.apache.xml.internal.security.utils.XMLUtils;
import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException;
import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverSpi;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
+import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -51,63 +52,68 @@
/**
* Method engineResolve
*
- * Wird das gleiche Dokument referenziert?
- * Wird ein anderes Dokument referenziert?
* @inheritDoc
* @param uri
- * @param BaseURI
- *
+ * @param baseURI
*/
- public XMLSignatureInput engineResolve(Attr uri, String BaseURI)
+ public XMLSignatureInput engineResolve(Attr uri, String baseURI)
throws ResourceResolverException
{
-
- String uriNodeValue = uri.getNodeValue();
- Document doc = uri.getOwnerElement().getOwnerDocument();
+ String uriNodeValue = uri.getNodeValue();
+ Document doc = uri.getOwnerElement().getOwnerDocument();
+ Node selectedElem = null;
+ if (uriNodeValue.equals("")) {
- Node selectedElem = null;
- if (uriNodeValue.equals("")) {
+ /*
+ * Identifies the node-set (minus any comment nodes) of the XML
+ * resource containing the signature
+ */
- /*
- * Identifies the node-set (minus any comment nodes) of the XML
- * resource containing the signature
- */
+ log.log(java.util.logging.Level.FINE, "ResolverFragment with empty URI (means complete document)");
+ selectedElem = doc;
+ } else {
- log.log(java.util.logging.Level.FINE, "ResolverFragment with empty URI (means complete document)");
- selectedElem = doc;
- } else {
+ /*
+ * URI="#chapter1"
+ * Identifies a node-set containing the element with ID attribute
+ * value 'chapter1' of the XML resource containing the signature.
+ * XML Signature (and its applications) modify this node-set to
+ * include the element plus all descendents including namespaces and
+ * attributes -- but not comments.
+ */
+ String id = uriNodeValue.substring(1);
- /*
- * URI="#chapter1"
- * Identifies a node-set containing the element with ID attribute
- * value 'chapter1' of the XML resource containing the signature.
- * XML Signature (and its applications) modify this node-set to
- * include the element plus all descendents including namespaces and
- * attributes -- but not comments.
- */
- String id = uriNodeValue.substring(1);
-
- // Element selectedElem = doc.getElementById(id);
- selectedElem = IdResolver.getElementById(doc, id);
- if (selectedElem==null) {
+ selectedElem = doc.getElementById(id);
+ if (selectedElem == null) {
Object exArgs[] = { id };
- throw new ResourceResolverException(
- "signature.Verification.MissingID", exArgs, uri, BaseURI);
- }
- if (log.isLoggable(java.util.logging.Level.FINE))
+ throw new ResourceResolverException(
+ "signature.Verification.MissingID", exArgs, uri, baseURI);
+ }
+ if (secureValidation) {
+ Element start = uri.getOwnerDocument().getDocumentElement();
+ if (!XMLUtils.protectAgainstWrappingAttack(start, id)) {
+ Object exArgs[] = { id };
+ throw new ResourceResolverException(
+ "signature.Verification.MultipleIDs", exArgs,
+ uri, baseURI);
+ }
+ }
+ if (log.isLoggable(java.util.logging.Level.FINE))
log.log(java.util.logging.Level.FINE, "Try to catch an Element with ID " + id + " and Element was " + selectedElem);
- }
+ }
- XMLSignatureInput result = new XMLSignatureInput(selectedElem);
- result.setExcludeComments(true);
+ XMLSignatureInput result = new XMLSignatureInput(selectedElem);
+ result.setExcludeComments(true);
- //log.log(java.util.logging.Level.FINE, "We return a nodeset with " + resultSet.size() + " nodes");
- result.setMIMEType("text/xml");
- result.setSourceURI((BaseURI != null) ? BaseURI.concat(uri.getNodeValue()) :
- uri.getNodeValue());
- return result;
- }
+ result.setMIMEType("text/xml");
+ if (baseURI != null && baseURI.length() > 0) {
+ result.setSourceURI(baseURI.concat(uri.getNodeValue()));
+ } else {
+ result.setSourceURI(uri.getNodeValue());
+ }
+ return result;
+ }
/**
* Method engineCanResolve