OK this is weird. Apparently everything works if I set
System.setProperty("jdk.xml.entityExpansionLimit", "0");
and otherwise it doesn't. Somehow that triggers the use of the
SecureProcessingConfiguration. Can anyone explain why?
On Fri, Aug 8, 2014 at 12:55 PM, Elliotte Rusty Harold <[email protected]>
wrote:
> I can make SecureProcessingConfiguration recognize the SAX property
> http://apache.org/xml/properties/total-entity-size-limit (i.e. you can
> get it and set it.)
>
> However there's something I'm missing in terms of making it actually pay
> attention to it.
>
> I've added this code to checkEntitySizeLimits:
>
> // If a specific value is set on the reader use that; otherwise
> use system value
> int totalEntitySizeProperty = ((Number)
> getProperty(TOTAL_ENTITY_SIZE_PROPERTY)).intValue();
> int totalEntitySizeLimit = totalEntitySizeProperty > 0 ?
> totalEntitySizeProperty
> : TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE;
>
>
> However my tests and the debugger tell me that nothing is ever
> calling checkEntitySizeLimits. So there's probably something I don't
> understand about setting up the parser. What I'm doing is this:
>
> public class TotalEntitySizeTest extends TestCase {
>
> private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME
> = "http://apache.org/xml/properties/total-entity-size-limit";;
>
> public void testSAXTotalEntitySizeLimitSystemProperty() throws
> Exception {
> XMLReader reader = new SecureParser();
> reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME,
> Integer.valueOf(10000));
> assertEquals(Integer.valueOf(10000),
> reader.getProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME));
>
> try {
> reader.parse(new InputData("pEntitySP.xml"));
> fail("Expected SAXParseException");
> }
> catch (SAXParseException se) {
> assertTrue(se.getMessage().indexOf("\"10,000\"") != -1);
> }
> }
>
> private static class SecureParser extends SAXParser {
> SecureParser() {
> super(new SecureProcessingConfiguration());
> }
> }
>
> }
>
>
> It fails with a heap out of memory. Any suggestions?
>
>
>
>
>
> On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich <
> [email protected]> wrote:
>
>> Was planning on only adding it to SecureProcessingConfiguration. Have been
>> thinking about making it the default config in the next release.
>>
>> Michael Glavassevich
>> XML Technologies and WAS Development
>> IBM Toronto Lab
>> E-mail: [email protected]
>> E-mail: [email protected]
>>
>> Elliotte Rusty Harold <[email protected]> wrote on 07/25/2014 02:30:10
>> PM:
>>
>> > Should this property be supported by all configurations are just by
>> > the SecureProcessingConfiguration?
>> >
>>
>> > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich
>> <[email protected]
>> > > wrote:
>> > Elliotte Rusty Harold <[email protected]> wrote on 07/08/2014 04:08:58
>> > PM:
>> >
>> > > From: Elliotte Rusty Harold <[email protected]>
>> > > To: [email protected],
>> > > Date: 07/08/2014 04:09 PM
>> > > Subject: Re: totalEntitySizeLimit
>> > >
>> > > What name will be used?
>>
>> > Following naming conventions of Xerces' other properties it would
>> probably
>> > be something like:
>> > http://apache.org/xml/properties/total-entity-size-limit. Still TBD.
>> >
>> > > Any plans for when the next release is likely to drop?
>>
>> > There's no date yet. Any discussion about that would happen on this
>> > mailing list. We know we're long overdue though.
>> >
>> > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich
>> > <[email protected]>
>> > > > wrote:
>> > > There's been some work on the trunk for supporting similar function
>> but
>> > it
>> > > won't be exposed with that Oracle property name.
>> > >
>> > > Michael Glavassevich
>> > > XML Technologies and WAS Development
>> > > IBM Toronto Lab
>> > > E-mail: [email protected]
>> > > E-mail: [email protected]
>> > >
>> > > Elliotte Rusty Harold <[email protected]> wrote on 07/08/2014
>> 12:30:07
>> > > PM:
>> > >
>> > > > Is there any plan to implement the http://www.oracle.com/xml/jaxp/
>> > > > properties/totalEntitySizeLimit property or equivalent in trunk
>> > Xerces?
>> > > >
>> > > > It is supported for a few months now in the patched Xerces shipped
>> > > > with the JDK 7.
>> > > >
>> > > > --
>> > > > Elliotte Rusty Harold
>> > > > [email protected]
>> > >
>> > > ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: [email protected]
>> > > For additional commands, e-mail: [email protected]
>> > >
>> > > --
>> > > Elliotte Rusty Harold
>> > > [email protected]
>>
>> > Thanks.
>> >
>> > Michael Glavassevich
>> > XML Technologies and WAS Development
>> > IBM Toronto Lab
>> > E-mail: [email protected]
>> > E-mail: [email protected]
>> >
>>
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: [email protected]
>> > For additional commands, e-mail: [email protected]
>>
>> >
>>
>> >
>> > --
>> > Elliotte Rusty Harold
>> > [email protected]
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>>
>
>
> --
> Elliotte Rusty Harold
> [email protected]
>
--
Elliotte Rusty Harold
[email protected]
