-
Enhancement
-
Resolution: Unresolved
-
P4
-
None
-
None
-
None
Consider adding XPath (http://www.w3.org/TR/1999/REC-xpath-19991116) to the list of disallowed algorithms in jdk.xml.dsig.secureValidationPolicy.
The use of XPath in signature validation is uncommon, and XPath has a large surface area (e.g. [1]). Disabling it by default, and allowing applications that need it to re-enable it, could improve the security of the default configuration.
JDK-8261246 took a similar approach to disabling SHA-1 by default, and documenting how to re-enable it in the release notes.
[1] https://googleprojectzero.blogspot.com/2022/11/gregor-samsa-exploiting-java-xml.html
The use of XPath in signature validation is uncommon, and XPath has a large surface area (e.g. [1]). Disabling it by default, and allowing applications that need it to re-enable it, could improve the security of the default configuration.
[1] https://googleprojectzero.blogspot.com/2022/11/gregor-samsa-exploiting-java-xml.html