https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
Christopher Schultz <ch...@christopherschultz.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO --- Comment #7 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to Christopher Schultz from comment #6) > I'm still curious as to why the SAX parser is warning of deep entity > replacements, here, when I only see a single level. Another "duh": this isn't about limits on entity expansion depth. Just the expansion *count*. So if you have a document like this: <!ENTITY foo "bar"> &foo; &foo; &foo; &foo; &foo; You'll need to have an entityExpansionLimit of 5 or more in order to allow the document to be parsed without error. This has nothing to do with the billion laughs attack, except that entityExpansionLimit can be used to limit the total number of replacements (which indeed can effectively mitigate the billion-laughs attack). By limiting the number of replacements to "1" you are effectively disabling all use of XML entities, which isn't really practical. I think the JAXP security settings you are looking for are more like these: XMLConstants.FEATURE_SECURE_PROCESSING http://xml.org/sax/features/external-general-entities http://xml.org/sax/features/external-parameter-entities I'm not convinced Tomcat should fix this bug, yet, but if Tomcat does fix this, it will be by explicitly-allowing entity expansion when parsing its own files, which may be a violation of the security policies which your organization sets. I'm not sure if there is a good solution, here, for you, other than removing the DOCTYPE definitions. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org