From 0a53d3c3aa87564910cae4ed01416441d3ae0db5 Mon Sep 17 00:00:00 2001 From: Rob Richards Date: Tue, 5 Nov 2019 06:44:22 -0500 Subject: [PATCH] Release 3.0.4. Security release for CVE-2019-3465 --- CHANGELOG.txt | 7 ++++++- LICENSE | 2 +- src/XMLSecurityDSig.php | 14 +++++++++++--- xmlseclibs.php | 2 +- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 76220cb2..faaf61cf 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,6 +1,11 @@ xmlseclibs.php ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -??, ??? 2018, 3.0.4-dev +06, Nov 2019, 3.0.4 +Security Improvements: +- Insure only a single SignedInfo element exists within a signature during + verification. Refs CVE-2019-3465. +Bug Fixes: +- Fix variable casing. 15, Nov 2018, 3.0.3 Bug Fixes: diff --git a/LICENSE b/LICENSE index 54b1e87d..4fe5e5ff 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2007-2018, Robert Richards . +Copyright (c) 2007-2019, Robert Richards . All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/src/XMLSecurityDSig.php b/src/XMLSecurityDSig.php index ada217b1..c9063d0f 100644 --- a/src/XMLSecurityDSig.php +++ b/src/XMLSecurityDSig.php @@ -194,6 +194,11 @@ public function locateSignature($objDoc, $pos=0) $query = ".//secdsig:Signature"; $nodeset = $xpath->query($query, $objDoc); $this->sigNode = $nodeset->item($pos); + $query = "./secdsig:SignedInfo"; + $nodeset = $xpath->query($query, $this->sigNode); + if ($nodeset->length > 1) { + throw new Exception("Invalid structure - Too many SignedInfo elements found"); + } return $this->sigNode; } return null; @@ -303,6 +308,9 @@ public function canonicalizeSignedInfo() $xpath = $this->getXPathObj(); $query = "./secdsig:SignedInfo"; $nodeset = $xpath->query($query, $this->sigNode); + if ($nodeset->length > 1) { + throw new Exception("Invalid structure - Too many SignedInfo elements found"); + } if ($signInfoNode = $nodeset->item(0)) { $query = "./secdsig:CanonicalizationMethod"; $nodeset = $xpath->query($query, $signInfoNode); @@ -440,7 +448,7 @@ public function processTransforms($refNode, $objData, $includeCommentNodes = tru if ($node->localName == 'XPath') { $arXPath = array(); $arXPath['query'] = '(.//. | .//@* | .//namespace::*)['.$node->nodeValue.']'; - $arXpath['namespaces'] = array(); + $arXPath['namespaces'] = array(); $nslist = $xpath->query('./namespace::*', $node); foreach ($nslist AS $nsnode) { if ($nsnode->localName != "xml") { @@ -554,7 +562,7 @@ public function getRefIDs() $refids = array(); $xpath = $this->getXPathObj(); - $query = "./secdsig:SignedInfo/secdsig:Reference"; + $query = "./secdsig:SignedInfo[1]/secdsig:Reference"; $nodeset = $xpath->query($query, $this->sigNode); if ($nodeset->length == 0) { throw new Exception("Reference nodes not found"); @@ -578,7 +586,7 @@ public function validateReference() } } $xpath = $this->getXPathObj(); - $query = "./secdsig:SignedInfo/secdsig:Reference"; + $query = "./secdsig:SignedInfo[1]/secdsig:Reference"; $nodeset = $xpath->query($query, $this->sigNode); if ($nodeset->length == 0) { throw new Exception("Reference nodes not found"); diff --git a/xmlseclibs.php b/xmlseclibs.php index 1e6eec74..4470dab2 100644 --- a/xmlseclibs.php +++ b/xmlseclibs.php @@ -37,7 +37,7 @@ * @author Robert Richards * @copyright 2007-2019 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License - * @version 3.0.4-dev + * @version 3.0.4 */ $xmlseclibs_srcdir = dirname(__FILE__) . '/src/';