I can make SecureProcessingConfiguration recognize the SAX property
http://apache.org/xml/properties/total-entity-size-limit (i.e. you can get
it and set it.)
However there's something I'm missing in terms of making it actually pay
attention to it.
I've added this code to checkEntitySizeLimits:
// If a specific value is set on the reader use that; otherwise use
system value
int totalEntitySizeProperty = ((Number)
getProperty(TOTAL_ENTITY_SIZE_PROPERTY)).intValue();
int totalEntitySizeLimit = totalEntitySizeProperty > 0 ?
totalEntitySizeProperty
: TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE;
However my tests and the debugger tell me that nothing is ever
calling checkEntitySizeLimits. So there's probably something I don't
understand about setting up the parser. What I'm doing is this:
public class TotalEntitySizeTest extends TestCase {
private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME
= "http://apache.org/xml/properties/total-entity-size-limit";;
public void testSAXTotalEntitySizeLimitSystemProperty() throws
Exception {
XMLReader reader = new SecureParser();
reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME,
Integer.valueOf(10000));
assertEquals(Integer.valueOf(10000),
reader.getProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME));
try {
reader.parse(new InputData("pEntitySP.xml"));
fail("Expected SAXParseException");
}
catch (SAXParseException se) {
assertTrue(se.getMessage().indexOf("\"10,000\"") != -1);
}
}
private static class SecureParser extends SAXParser {
SecureParser() {
super(new SecureProcessingConfiguration());
}
}
}
It fails with a heap out of memory. Any suggestions?
On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich <[email protected]>
wrote:
> Was planning on only adding it to SecureProcessingConfiguration. Have been
> thinking about making it the default config in the next release.
>
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: [email protected]
> E-mail: [email protected]
>
> Elliotte Rusty Harold <[email protected]> wrote on 07/25/2014 02:30:10
> PM:
>
> > Should this property be supported by all configurations are just by
> > the SecureProcessingConfiguration?
> >
>
> > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich
> <[email protected]
> > > wrote:
> > Elliotte Rusty Harold <[email protected]> wrote on 07/08/2014 04:08:58
> > PM:
> >
> > > From: Elliotte Rusty Harold <[email protected]>
> > > To: [email protected],
> > > Date: 07/08/2014 04:09 PM
> > > Subject: Re: totalEntitySizeLimit
> > >
> > > What name will be used?
>
> > Following naming conventions of Xerces' other properties it would
> probably
> > be something like:
> > http://apache.org/xml/properties/total-entity-size-limit. Still TBD.
> >
> > > Any plans for when the next release is likely to drop?
>
> > There's no date yet. Any discussion about that would happen on this
> > mailing list. We know we're long overdue though.
> >
> > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich
> > <[email protected]>
> > > > wrote:
> > > There's been some work on the trunk for supporting similar function
> but
> > it
> > > won't be exposed with that Oracle property name.
> > >
> > > Michael Glavassevich
> > > XML Technologies and WAS Development
> > > IBM Toronto Lab
> > > E-mail: [email protected]
> > > E-mail: [email protected]
> > >
> > > Elliotte Rusty Harold <[email protected]> wrote on 07/08/2014
> 12:30:07
> > > PM:
> > >
> > > > Is there any plan to implement the http://www.oracle.com/xml/jaxp/
> > > > properties/totalEntitySizeLimit property or equivalent in trunk
> > Xerces?
> > > >
> > > > It is supported for a few months now in the patched Xerces shipped
> > > > with the JDK 7.
> > > >
> > > > --
> > > > Elliotte Rusty Harold
> > > > [email protected]
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [email protected]
> > > For additional commands, e-mail: [email protected]
> > >
> > > --
> > > Elliotte Rusty Harold
> > > [email protected]
>
> > Thanks.
> >
> > Michael Glavassevich
> > XML Technologies and WAS Development
> > IBM Toronto Lab
> > E-mail: [email protected]
> > E-mail: [email protected]
> >
>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
>
> >
>
> >
> > --
> > Elliotte Rusty Harold
> > [email protected]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
--
Elliotte Rusty Harold
[email protected]
