Hi, I have a question related to change "8017298: Better XML support" which went into the last security update. Because it was considered a security fix, there's not much information available (i.e. no webrev, no bug description, no discussion on the public mailing lists).
As far as I can see, the "entityExpansionLimit" for JAXB has been there since Java 5 and according to Blaise Doughan blog at http://blog.bdoughan.com/2011/03/preventing-entity-expansion-attacks-in.html it should have been enabled by default together with the XMLConstants.FEATURE_SECURE_PROCESSING feature. Now we have a customer who claims that after upgrading to 7u45 he gets an execption because of too many entity expansions. The customer explicitly sets "-DentityExpansionLimit=1". For us it seems as if before change "8017298: Better XML support" there must have been places in the libraries which ignored the "entityExpansionLimit" setting even if this was explicitly specified by the user. Can somebody confirm this assumption or is our customer facing another problem? Thank you and best regards, Volker
