Skip to content

Fixes #63: An unsigned XML should fail verification #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 26, 2025
+45 −3
Merged

Fixes #63: An unsigned XML should fail verification #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions Changes
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@ Revision history for XML-Sig

{{$NEXT}}

[Notable Changes since 0.67]
- Fixed (CVE-2025-40934) issue where unsigned xml verified as true (thanks @gttds)

[Change Log]
- 420d8c4 Fixes #63: An unsigned XML should fail verification

0.67 -- Fri Nov 07 18:25:52 AST 2025

[Notable Changes since 0.65]
Expand Down
2 changes: 1 addition & 1 deletion Makefile.PL
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ my %WriteMakefileArgs = (
"Test::Lib" => 0,
"Test::More" => 0
},
"VERSION" => "0.67",
"VERSION" => "0.68",
"test" => {
"TESTS" => "t/*.t"
}
Expand Down
2 changes: 1 addition & 1 deletion README
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ NAME
Signatures

VERSION
version 0.67
version 0.68

SYNOPSIS
my $xml = '<foo ID="abc">123</foo>';
Expand Down
3 changes: 2 additions & 1 deletion lib/XML/Sig.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -500,6 +500,7 @@ sub verify {
my $numsigs = $signature_nodeset->size();
print ("NodeSet Size: $numsigs\n") if $DEBUG;

die 'XML::Sig - XML does not include any signatures' if $numsigs <= 0;
# Loop through each Signature in the document checking each
my $i;
while (my $signature_node = $signature_nodeset->shift()) {
Expand Down Expand Up @@ -669,7 +670,7 @@ sub verify {
return 0 unless ($refdigest eq _trim(encode_base64($digest, '')));

print ( "Signature $i Valid\n") if $DEBUG;
}
}

return 1;
}
Expand Down
35 changes: 35 additions & 0 deletions t/027_no_signatures_should_fail.t
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
use strict;
use warnings;
use Test::More;
use Test::Exception;

use XML::Sig;

my $cert_text = '-----BEGIN CERTIFICATE-----
MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV
SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4
MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK
DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0
RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd
4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V
pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b
2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ
NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW
5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4
khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX
UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L
r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M
m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==
-----END CERTIFICATE-----';

my $xml = '<foo ID="abc">123</foo>';
my $signer = XML::Sig->new({
cert_text => $cert_text,
});

# verify a signature
dies_ok( sub { $signer->verify($xml); }, "No Signatures found die properly.");

done_testing();
Loading