Fixes #63: An unsigned XML should fail verification

timlegge · timlegge · commit 74ea948931f1 · 2025-11-26T18:06:46.000-04:00
diff --git a/Changes b/Changes
@@ -2,6 +2,12 @@ Revision history for XML-Sig
 
 {{$NEXT}}
 
+  [Notable Changes since 0.67]
+  - Fixed (CVE-2025-40934) issue where unsigned xml verified as true (thanks @gttds)
+
+  [Change Log]
+  - 420d8c4 Fixes #63: An unsigned XML should fail verification
+
 0.67 -- Fri Nov 07 18:25:52 AST 2025
 
   [Notable Changes since 0.65]
diff --git a/Makefile.PL b/Makefile.PL
@@ -47,7 +47,7 @@ my %WriteMakefileArgs = (
     "Test::Lib" => 0,
     "Test::More" => 0
   },
-  "VERSION" => "0.67",
+  "VERSION" => "0.68",
   "test" => {
     "TESTS" => "t/*.t"
   }
diff --git a/README b/README
@@ -3,7 +3,7 @@ NAME
     Signatures
 
 VERSION
-    version 0.67
+    version 0.68
 
 SYNOPSIS
        my $xml = '<foo ID="abc">123</foo>';
diff --git a/lib/XML/Sig.pm b/lib/XML/Sig.pm
@@ -500,6 +500,7 @@ sub verify {
     my $numsigs = $signature_nodeset->size();
     print ("NodeSet Size: $numsigs\n") if $DEBUG;
 
+    die 'XML::Sig - XML does not include any signatures' if $numsigs <= 0;
     # Loop through each Signature in the document checking each
     my $i;
     while (my $signature_node = $signature_nodeset->shift()) {
@@ -669,7 +670,7 @@ sub verify {
         return 0 unless ($refdigest eq _trim(encode_base64($digest, '')));
 
         print ( "Signature $i Valid\n") if $DEBUG;
-        }
+    }
 
     return 1;
 }
diff --git a/t/027_no_signatures_should_fail.t b/t/027_no_signatures_should_fail.t
@@ -0,0 +1,35 @@
+use strict;
+use warnings;
+use Test::More;
+use Test::Exception;
+
+use XML::Sig;
+
+my $cert_text = '-----BEGIN CERTIFICATE-----
+MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV
+SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4
+MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK
+DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0
+RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd
+4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V
+pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b
+2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ
+NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW
+5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4
+khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX
+UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L
+r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M
+m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==
+-----END CERTIFICATE-----';
+
+my $xml = '<foo ID="abc">123</foo>';
+my $signer = XML::Sig->new({
+  cert_text => $cert_text,
+});
+
+# verify a signature
+dies_ok( sub { $signer->verify($xml); }, "No Signatures found die properly.");
+
+done_testing();

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ my %WriteMakefileArgs = (`
`47`	`47`	`"Test::Lib" => 0,`
`48`	`48`	`"Test::More" => 0`
`49`	`49`	`},`
`50`		`- "VERSION" => "0.67",`
	`50`	`+ "VERSION" => "0.68",`
`51`	`51`	`"test" => {`
`52`	`52`	`"TESTS" => "t/*.t"`
`53`	`53`	`}`