[xmlsec] xmlsec question - empty node set from XPath
Moultrie, Ferrell (ISSAtlanta)
FMoultrie@iss.net
Fri, 26 Jul 2002 10:05:33 -0400
Aleksey:
In xpath.c [line 594] you check if the result of the XPath Transform is
NULL. Should it not also check if the node set is empty, i.e.,
if((*nodes) == NULL || (*nodes)->nodeNr == 0) {
It's quite possible (easy even) to mistakenly code an XPath Transform that
selects nothing. The result is that Apache dutifully signs nothing and
xmlsec verifies nothing. Thus, nothing is being verified even though there
is the appearance that the document content is valid. The only clue you get
to this is running xmlsec in --print-all mode doesn't print a content buffer
because there isn't one. Is the case of an empty Transform result defined to
work this way or can/should xmlsec reject it as a flawed Transform?
Thanks!
Ferrell
=====================================
Ferrell Moultrie (ferrell@iss.net)
Software Engineer
Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328
Phone: 404-236-2600
Direct: 404-236-2849
Fax: 404-236-2632
http://www.iss.net
Internet Security Systems -- The Power to Protect
=====================================