[xmlsec] Failure to encode special chars in X509SubjectName node

Aleksey Sanin aleksey at aleksey.com
Thu Mar 6 11:08:43 PST 2008


Hm... I was under impression that xmlNodeSetContent() does the encoding
internally. I guess I was wrong. Let me research this. There are other
places in xmlsec where xmlNodeSetContent() is used. All these places
need to encode & and other special characters.

Thanks for bug report!

Aleksey

Cliff Hones wrote:
> I have an X509 certificate which has an ampersand within its
> "Subject" text.  When signing with this certificate, the content
> of the X509SubjectName node is incorrectly set - it terminates
> at the ampersand (which is not encoded as &).  Also, xmllib
> reports "unterminated entity reference".
> 
> I can fix this behaviour by adding a suitable call to the routine
> xmlEncodeSpecialChars in openssl/x509.c in the function
>     xmlSecOpenSSLX509SubjectNameNodeWrite
> 
> Note that xmlEncodeSpecialChars requires a "doc" as first argument,
> which is not available in this routine, but in fact NULL can be
> passed as the doc argument is not used.
> 
> I think this call should also be added to
>      xmlSecOpenSSLX509IssuerSerialNodeWrite
> for the IssuerName node, as this could also contain text with
> an "&" (or indeed other special XML characters).
> 
> This problem could also be present in other places where xmlsec sets
> node content to a raw string sourced from non-XML.  I haven't looked
> to see if there are any other such occurrences.
> 
> Do you consider this a bug?  Should I submit it to the Gnome bugzilla?
> 



More information about the xmlsec mailing list