[
https://issues.apache.org/jira/browse/TIKA-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14018247#comment-14018247
]
ASF GitHub Bot commented on TIKA-1322:
--------------------------------------
GitHub user mkr opened a pull request:
https://github.com/apache/tika/pull/9
TIKA-1322: Properly close XMLParser's output in case of SAXException.
Fix and test for https://issues.apache.org/jira/browse/TIKA-1322.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/mkr/tika TIKA-1322
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/tika/pull/9.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #9
----
commit 63d979538a72e5c044b2074219268da57fcf48cd
Author: Matthias Krueger <m...@mkr.io>
Date: 2014-06-04T21:45:15Z
TIKA-1322: Properly close XMLParser's output in case of SAXException.
----
> XML file parse errors within archives trigger Zip bomb detection
> ----------------------------------------------------------------
>
> Key: TIKA-1322
> URL: https://issues.apache.org/jira/browse/TIKA-1322
> Project: Tika
> Issue Type: Bug
> Components: parser
> Affects Versions: 1.5
> Reporter: Matthias Krueger
> Priority: Minor
>
> Tika parses XML input using org.apache.tika.parser.xml.XMLParser. XMLParser
> opens a "p" tag before a SAXParser's output of the input XML is appended. A
> possible SAXException during parsing is rethrown but the opened "p" tag not
> closed. The Zip bomb detection in SecureContentHandler relies on consistent
> starting and closing of elements. With the current behaviour of XMLParser it
> will be triggered, for example, if an archive contains 10
> (SecureContentHandler#maxPackageEntryDepth) invalid XML files.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
