ppkarwasz commented on code in PR #22:
URL: https://github.com/apache/commons-xml/pull/22#discussion_r3552469973


##########
src/test/java/org/apache/commons/xml/AttackTestSupport.java:
##########
@@ -347,8 +376,9 @@ static void assertPermissiveStaxParses(final String 
payload) {
         assertParseSucceeds(() -> {
             final XMLInputFactory factory = XMLInputFactory.newInstance();
             suppressException(() -> 
factory.setProperty(XMLConstants.FEATURE_SECURE_PROCESSING, false));
-            // URL form of the JDK property; JDK 8's 
XMLSecurityManager.getIndex only matches this form, JDK 11+ accepts both.
-            suppressException(() -> 
factory.setProperty(JDK_ENTITY_EXPANSION_LIMIT, "0"));
+            liftJdkEntityLimits(factory);
+            // Woodstox ignores the JDK properties and enforces its own 
default (100000) entity-count limit; lift it so the positive control parses.
+            suppressException(() -> factory.setProperty(WSTX_MAX_ENTITY_COUNT, 
Long.MAX_VALUE));

Review Comment:
   Fixed in 
https://github.com/apache/commons-xml/pull/22/commits/3abfea554c63d0ff170b61acdf42a752b62c3857



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to