[xmlsec] xmlsec question - empty node set from XPath

Moultrie, Ferrell (ISSAtlanta) FMoultrie at iss.net
Fri Jul 26 07:05:33 PDT 2002

  In xpath.c [line 594] you check if the result of the XPath Transform is
NULL. Should it not also check if the node set is empty, i.e.,
    if((*nodes) == NULL || (*nodes)->nodeNr == 0) {
  It's quite possible (easy even) to mistakenly code an XPath Transform that
selects nothing. The result is that Apache dutifully signs nothing and
xmlsec verifies nothing. Thus, nothing is being verified even though there
is the appearance that the document content is valid. The only clue you get
to this is running xmlsec in --print-all mode doesn't print a content buffer
because there isn't one. Is the case of an empty Transform result defined to
work this way or can/should xmlsec reject it as a flawed Transform?

Ferrell Moultrie (ferrell at iss.net)
Software Engineer

Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328
Phone:  404-236-2600
Direct: 404-236-2849
Fax:    404-236-2632

Internet Security Systems -- The Power to Protect

More information about the xmlsec mailing list