ppkarwasz commented on code in PR #22:
URL: https://github.com/apache/commons-xml/pull/22#discussion_r3552372386


##########
src/site/markdown/threat_model.md:
##########
@@ -78,21 +78,20 @@ listed below. Which hardening recipe applies depends on the 
JAXP implementation
 
 **System properties that modify behavior**
 
-When a factory or parser is created, the library reads the following JDK 
system properties and pins each value on every
-recognized parser, including bundled ones that ignore `jdk.xml.*` on their 
own. If a property is unset, the fixed value
-shown applies (matching the JDK 25 secure default), regardless of the JDK in 
use. These properties are trusted
-deployment configuration: an operator may set one to tighten (or loosen) a 
limit globally, but loosening through one is
-reconfiguration, treated like loosening any other reserved setting (see [What 
is out of scope](#what-is-out-of-scope)).
-
-- `jdk.xml.elementAttributeLimit`: `200`
-- `jdk.xml.entityExpansionLimit`: `2500`
-- `jdk.xml.entityReplacementLimit`: `100000`
-- `jdk.xml.maxElementDepth`: `100`
-- `jdk.xml.maxGeneralEntitySizeLimit`: `100000`
-- `jdk.xml.maxOccurLimit`: `5000`
-- `jdk.xml.maxParameterEntitySizeLimit`: `15000`
-- `jdk.xml.maxXMLNameLimit`: `1000`
-- `jdk.xml.totalEntitySizeLimit`: `100000`
+The library reads no system property of its own. It enables secure processing 
(`FEATURE_SECURE_PROCESSING`) on every
+recognized parser and leaves the resulting processing limits (entity 
expansion, element depth, attribute count, and
+similar) at the implementation's own secure default. Those defaults differ by 
implementation, and on the stock JDK by
+JDK version and the standard `jdk.xml.*` limit properties the JDK itself reads:

Review Comment:
   Fixed in 
https://github.com/apache/commons-xml/pull/22/commits/67353b1dc2b70376183c6c917b5a17e580db1cd1



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to