Ping. Any thoughts about this? I don't expect you to accept the patch as is, but I would like to get the ball rolling.
Thanks. On Fri, Aug 8, 2014 at 3:27 PM, Elliotte Rusty Harold <[email protected]> wrote: > I'm attaching a patch. (I looked for a way to attach a patch in Jira but > couldn't find one.) > > Feel free to request revisions. > > > On Fri, Aug 8, 2014 at 1:51 PM, Elliotte Rusty Harold <[email protected]> > wrote: > >> >> OK this is weird. Apparently everything works if I set >> >> System.setProperty("jdk.xml.entityExpansionLimit", "0"); >> >> >> and otherwise it doesn't. Somehow that triggers the use of the >> SecureProcessingConfiguration. Can anyone explain why? >> >> >> >> >> >> >> On Fri, Aug 8, 2014 at 12:55 PM, Elliotte Rusty Harold < >> [email protected]> wrote: >> >>> I can make SecureProcessingConfiguration recognize the SAX property >>> http://apache.org/xml/properties/total-entity-size-limit (i.e. you can >>> get it and set it.) >>> >>> However there's something I'm missing in terms of making it actually >>> pay attention to it. >>> >>> I've added this code to checkEntitySizeLimits: >>> >>> // If a specific value is set on the reader use that; otherwise >>> use system value >>> int totalEntitySizeProperty = ((Number) >>> getProperty(TOTAL_ENTITY_SIZE_PROPERTY)).intValue(); >>> int totalEntitySizeLimit = totalEntitySizeProperty > 0 ? >>> totalEntitySizeProperty >>> : TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE; >>> >>> >>> However my tests and the debugger tell me that nothing is ever >>> calling checkEntitySizeLimits. So there's probably something I don't >>> understand about setting up the parser. What I'm doing is this: >>> >>> public class TotalEntitySizeTest extends TestCase { >>> >>> private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME >>> = "http://apache.org/xml/properties/total-entity-size-limit";; >>> >>> public void testSAXTotalEntitySizeLimitSystemProperty() throws >>> Exception { >>> XMLReader reader = new SecureParser(); >>> reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME, >>> Integer.valueOf(10000)); >>> assertEquals(Integer.valueOf(10000), >>> reader.getProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME)); >>> >>> try { >>> reader.parse(new InputData("pEntitySP.xml")); >>> fail("Expected SAXParseException"); >>> } >>> catch (SAXParseException se) { >>> assertTrue(se.getMessage().indexOf("\"10,000\"") != -1); >>> } >>> } >>> >>> private static class SecureParser extends SAXParser { >>> SecureParser() { >>> super(new SecureProcessingConfiguration()); >>> } >>> } >>> >>> } >>> >>> >>> It fails with a heap out of memory. Any suggestions? >>> >>> >>> >>> >>> >>> On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich < >>> [email protected]> wrote: >>> >>>> Was planning on only adding it to SecureProcessingConfiguration. Have >>>> been >>>> thinking about making it the default config in the next release. >>>> >>>> Michael Glavassevich >>>> XML Technologies and WAS Development >>>> IBM Toronto Lab >>>> E-mail: [email protected] >>>> E-mail: [email protected] >>>> >>>> Elliotte Rusty Harold <[email protected]> wrote on 07/25/2014 02:30:10 >>>> PM: >>>> >>>> > Should this property be supported by all configurations are just by >>>> > the SecureProcessingConfiguration? >>>> > >>>> >>>> > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich >>>> <[email protected] >>>> > > wrote: >>>> > Elliotte Rusty Harold <[email protected]> wrote on 07/08/2014 >>>> 04:08:58 >>>> > PM: >>>> > >>>> > > From: Elliotte Rusty Harold <[email protected]> >>>> > > To: [email protected], >>>> > > Date: 07/08/2014 04:09 PM >>>> > > Subject: Re: totalEntitySizeLimit >>>> > > >>>> > > What name will be used? >>>> >>>> > Following naming conventions of Xerces' other properties it would >>>> probably >>>> > be something like: >>>> > http://apache.org/xml/properties/total-entity-size-limit. Still TBD. >>>> > >>>> > > Any plans for when the next release is likely to drop? >>>> >>>> > There's no date yet. Any discussion about that would happen on this >>>> > mailing list. We know we're long overdue though. >>>> > >>>> > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich >>>> > <[email protected]> >>>> > > > wrote: >>>> > > There's been some work on the trunk for supporting similar function >>>> but >>>> > it >>>> > > won't be exposed with that Oracle property name. >>>> > > >>>> > > Michael Glavassevich >>>> > > XML Technologies and WAS Development >>>> > > IBM Toronto Lab >>>> > > E-mail: [email protected] >>>> > > E-mail: [email protected] >>>> > > >>>> > > Elliotte Rusty Harold <[email protected]> wrote on 07/08/2014 >>>> 12:30:07 >>>> > > PM: >>>> > > >>>> > > > Is there any plan to implement the >>>> http://www.oracle.com/xml/jaxp/ >>>> > > > properties/totalEntitySizeLimit property or equivalent in trunk >>>> > Xerces? >>>> > > > >>>> > > > It is supported for a few months now in the patched Xerces shipped >>>> > > > with the JDK 7. >>>> > > > >>>> > > > -- >>>> > > > Elliotte Rusty Harold >>>> > > > [email protected] >>>> > > >>>> > > >>>> --------------------------------------------------------------------- >>>> > > To unsubscribe, e-mail: [email protected] >>>> > > For additional commands, e-mail: [email protected] >>>> > > >>>> > > -- >>>> > > Elliotte Rusty Harold >>>> > > [email protected] >>>> >>>> > Thanks. >>>> > >>>> > Michael Glavassevich >>>> > XML Technologies and WAS Development >>>> > IBM Toronto Lab >>>> > E-mail: [email protected] >>>> > E-mail: [email protected] >>>> > >>>> >>>> > --------------------------------------------------------------------- >>>> > To unsubscribe, e-mail: [email protected] >>>> > For additional commands, e-mail: [email protected] >>>> >>>> > >>>> >>>> > >>>> > -- >>>> > Elliotte Rusty Harold >>>> > [email protected] >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>>> >>> >>> >>> -- >>> Elliotte Rusty Harold >>> [email protected] >>> >> >> >> >> -- >> Elliotte Rusty Harold >> [email protected] >> > > > > -- > Elliotte Rusty Harold > [email protected] > -- Elliotte Rusty Harold [email protected]
