Been busy with my day job. Hope to take a look at it soon. Thanks.
Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: [email protected] E-mail: [email protected] Elliotte Rusty Harold <[email protected]> wrote on 08/15/2014 10:31:27 AM: > Ping. Any thoughts about this? I don't expect you to accept the > patch as is, but I would like to get the ball rolling. > > Thanks. > > On Fri, Aug 8, 2014 at 3:27 PM, Elliotte Rusty Harold <[email protected] > > wrote: > I'm attaching a patch. (I looked for a way to attach a patch in Jira > but couldn't find one.) > > Feel free to request revisions. > > On Fri, Aug 8, 2014 at 1:51 PM, Elliotte Rusty Harold <[email protected] > > wrote: > > OK this is weird. Apparently everything works if I set > > System.setProperty("jdk.xml.entityExpansionLimit", "0"); > > and otherwise it doesn't. Somehow that triggers the use of the > SecureProcessingConfiguration. Can anyone explain why? > > > On Fri, Aug 8, 2014 at 12:55 PM, Elliotte Rusty Harold <[email protected] > > wrote: > I can make SecureProcessingConfiguration recognize the SAX property > http://apache.org/xml/properties/total-entity-size-limit (i.e. you > can get it and set it.) > > However there's something I'm missing in terms of making it > actually pay attention to it. > > I've added this code to checkEntitySizeLimits: > > // If a specific value is set on the reader use that; > otherwise use system value > int totalEntitySizeProperty = ((Number) getProperty > (TOTAL_ENTITY_SIZE_PROPERTY)).intValue(); > int totalEntitySizeLimit = totalEntitySizeProperty > 0 ? > totalEntitySizeProperty > : TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE; > > > However my tests and the debugger tell me that nothing is ever > calling checkEntitySizeLimits. So there's probably something I don't > understand about setting up the parser. What I'm doing is this: > > public class TotalEntitySizeTest extends TestCase { > > private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME > = "http://apache.org/xml/properties/total-entity-size-limit";; > > public void testSAXTotalEntitySizeLimitSystemProperty() throws Exception { > XMLReader reader = new SecureParser(); > reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME, > Integer.valueOf(10000)); > assertEquals(Integer.valueOf(10000), reader.getProperty > (TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME)); > > try { > reader.parse(new InputData("pEntitySP.xml")); > fail("Expected SAXParseException"); > } > catch (SAXParseException se) { > assertTrue(se.getMessage().indexOf("\"10,000\"") != -1); > } > } > > private static class SecureParser extends SAXParser { > SecureParser() { > super(new SecureProcessingConfiguration()); > } > } > > } > > It fails with a heap out of memory. Any suggestions? > > > On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich <[email protected] > > wrote: > Was planning on only adding it to SecureProcessingConfiguration. Have been > thinking about making it the default config in the next release. > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: [email protected] > E-mail: [email protected] > Elliotte Rusty Harold <[email protected]> wrote on 07/25/2014 02:30:10 > PM: > > > Should this property be supported by all configurations are just by > > the SecureProcessingConfiguration? > > > > > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich > <[email protected] > > > wrote: > > Elliotte Rusty Harold <[email protected]> wrote on 07/08/2014 04:08:58 > > PM: > > > > > From: Elliotte Rusty Harold <[email protected]> > > > To: [email protected], > > > Date: 07/08/2014 04:09 PM > > > Subject: Re: totalEntitySizeLimit > > > > > > What name will be used? > > > Following naming conventions of Xerces' other properties it would > probably > > be something like: > > http://apache.org/xml/properties/total-entity-size-limit. Still TBD. > > > > > Any plans for when the next release is likely to drop? > > > There's no date yet. Any discussion about that would happen on this > > mailing list. We know we're long overdue though. > > > > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich > > <[email protected]> > > > > wrote: > > > There's been some work on the trunk for supporting similar function > but > > it > > > won't be exposed with that Oracle property name. > > > > > > Michael Glavassevich > > > XML Technologies and WAS Development > > > IBM Toronto Lab > > > E-mail: [email protected] > > > E-mail: [email protected] > > > > > > Elliotte Rusty Harold <[email protected]> wrote on 07/08/2014 > 12:30:07 > > > PM: > > > > > > > Is there any plan to implement the http://www.oracle.com/xml/jaxp/ > > > > properties/totalEntitySizeLimit property or equivalent in trunk > > Xerces? > > > > > > > > It is supported for a few months now in the patched Xerces shipped > > > > with the JDK 7. > > > > > > > > -- > > > > Elliotte Rusty Harold > > > > [email protected] > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > -- > > > Elliotte Rusty Harold > > > [email protected] > > > Thanks. > > > > Michael Glavassevich > > XML Technologies and WAS Development > > IBM Toronto Lab > > E-mail: [email protected] > > E-mail: [email protected] > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > > > -- > > Elliotte Rusty Harold > > [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > -- > Elliotte Rusty Harold > [email protected] > > > -- > Elliotte Rusty Harold > [email protected] > > > -- > Elliotte Rusty Harold > [email protected] > > > -- > Elliotte Rusty Harold > [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
