diff options
| author | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2011-04-02 04:03:13 +0200 |
|---|---|---|
| committer | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2011-04-04 15:57:54 +0200 |
| commit | 6477d6043c26dbb690e3065e30c622eec56516c6 (patch) | |
| tree | 58784776195b43fa8e3a84008d431fd5a6ebccf5 | |
| parent | 345c3b50f80fc22fd99568469fb2a987f7178b71 (diff) | |
| download | lasso-6477d6043c26dbb690e3065e30c622eec56516c6.tar.gz lasso-6477d6043c26dbb690e3065e30c622eec56516c6.tar.xz lasso-6477d6043c26dbb690e3065e30c622eec56516c6.zip | |
[xml] if signature reference is empty check that signed node is the document root
An empty reference means the complete document, so the signed node is
the root element of this document. We must check that the parameter
signe_node dmatches our assumption.
| -rw-r--r-- | lasso/xml/tools.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c index 464510e3..bdf582c3 100644 --- a/lasso/xml/tools.c +++ b/lasso/xml/tools.c @@ -1366,8 +1366,9 @@ lasso_verify_signature(xmlNode *signed_node, xmlDoc *doc, const char *id_attr_na xmlSecPtrListGetItem(&(dsigCtx->signedInfoReferences), 0); ok |= dsig_reference_ctx != 0 && lasso_strisequal((char*)dsig_reference_ctx->uri, reference_uri); - ok |= signature_verification_option && EMPTY_URI && - lasso_strisequal((char*)dsig_reference_ctx->uri, ""); + ok |= (signature_verification_option & EMPTY_URI) + && xmlDocGetRootElement(doc) == signed_node + && lasso_strisequal((char*)dsig_reference_ctx->uri, ""); goto_cleanup_if_fail_with_rc(ok, LASSO_DS_ERROR_INVALID_REFERENCE_FOR_SAML); } |