Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed comment vulnerability in verifying signatures
  • Loading branch information
RonXS committed Apr 3, 2018
1 parent 07741d3 commit 482cdf8
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions src/Wizkunde/SAMLBase/Security/Signature.php
Expand Up @@ -32,7 +32,7 @@ public function verifyDOMDocument($document)
}

$this->add509Cert($this->getCertificate()->getPublicKey()->getX509Certificate());
$this->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$this->setCanonicalMethod(XMLSecurityDSig::EXC_C14N_COMMENTS);
$this->addReference($document->documentElement, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID'));

return $this->verify($this->getCertificate()->getPublicKey());
Expand Down Expand Up @@ -94,7 +94,7 @@ public function signMetadata(\DOMDocument $document)
protected function signDocument(\DOMDocument $document, $node)
{
$this->add509Cert($this->getCertificate()->getPublicKey()->getX509Certificate());
$this->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$this->setCanonicalMethod(XMLSecurityDSig::EXC_C14N_COMMENTS);
$this->addReference($document->documentElement, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID'));

$this->sign($this->getCertificate()->getPrivateKey());
Expand Down

0 comments on commit 482cdf8

Please sign in to comment.