OpenSAML-Java susceptible to comment attack?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSAML-Java susceptible to comment attack?

Marc Boorshtein
I haven't tried this, but the advisory only mentions the OpenSAML-C libraries.  Is it known if this effects the opensaml java libs?

Thanks

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSAML-Java susceptible to comment attack?

Brent Putman



On 2/27/18 10:21 PM, Marc Boorshtein wrote:
I haven't tried this, but the advisory only mentions the OpenSAML-C libraries.  Is it known if this effects the opensaml java libs?

It does not. At least, not if you are using our ParserPool impl with default settings.   We completely strip out the comments when we parse the input into the DOM.  So there's never any comments in the DOM.

We've always done this back to early days, simply because we don't support preserving comments at all in the marshalling/unmarshalling process.  So turned out to be a happy coincidence with respect to this vulnerability.

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSAML-Java susceptible to comment attack?

Marc Boorshtein

It does not. At least, not if you are using our ParserPool impl with default settings.   We completely strip out the comments when we parse the input into the DOM.  So there's never any comments in the DOM.


Hmm, looks like I'm using the raw javax.xml.parsers.DocumentBuilder and the comment issue is not handled properly.  Can you point me to some example code?  Looking at the Api docs all I see is GlobalParserPoolInitalizer but I don't see any actual parsers.

Thanks
Marc

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSAML-Java susceptible to comment attack?

Brent Putman



On 2/27/18 11:02 PM, Marc Boorshtein wrote:

It does not. At least, not if you are using our ParserPool impl with default settings.   We completely strip out the comments when we parse the input into the DOM.  So there's never any comments in the DOM.


Hmm, looks like I'm using the raw javax.xml.parsers.DocumentBuilder and the comment issue is not handled properly.  Can you point me to some example code?  Looking at the Api docs all I see is GlobalParserPoolInitalizer but I don't see any actual parsers.
If you were grepping source code, etc, you might have missed it since the ParserPool stuff is actual in our java-support library.  The sole impl of the ParserPool interface is: net.shibboleth.utilities.java.support.xml.BasicParserPool.  You would just new an instance, set any properties you want and initialize(). 

For the default global ParserPool instance, after library init you can get that from org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getParserPool().  Currently the only difference from a vanilla BasicParserPool with no changes is that it ups the maxPoolSize from 5 to 50.

However, the BasicParserPool is really mostly just a convenience wrapper around use of DocumentBuilderFactory and DocumentBuilder, with some defaults that differ from the standard Java defaults.  If you want to use a DBF without our ParserPool stuff, all you need to do is set the DocumentBuilderFactory ignoringComments property to 'true'.  That's what the BasicParserPool does, nothing more than that.



--
To unsubscribe from this list send an email to [hidden email]