Hi Joe,
The new webrev looks good...
-- daniel
On 11/13/13 11:08 PM, huizhe wang wrote:
On 11/13/2013 1:33 PM, Alan Bateman wrote:
On 13/11/2013 20:02, huizhe wang wrote:
Hi,
The issue is that the limits applied to each processing process
rather than each file processing. This applies to not only StAX as
reported, but also other parsers and validators. The fix is to add
reset to XMLSecurityManager and call it upon each file processing.
XSLT Transform is verified fixed as the underlying parsers are fixed.
webrev:
http://cr.openjdk.java.net/~joehw/jdk8/8028111/webrev/
This looks okay as a band-aid but won't this be replaced if fixed to
have limits per document?
Each parser has its own copy of XMLSecurityManager that maintains the
values of the limits. The parser is reset before it starts to parse a
document. Resetting the values managed by XMLSecurityManager therefore
makes sure that the limits are per document.
Daniel sent me a private email to question if the reset in
PropertyManager is safe. He was right. I traced that back to the
previous patch in that the StAX parsers actually were sharing the same
XMLSecurityManager, and also XMLSecurityPropertyManager. I've changed
the code so that they are cloned.
webrev:
http://cr.openjdk.java.net/~joehw/jdk8/8028111/webrev/
Thanks,
Joe
-Alan.
