RFR (JAXP): 8028111 : XML readers share the same entity expansion counter
huizhe.wang at oracle.com
Wed Nov 13 22:08:29 UTC 2013
On 11/13/2013 1:33 PM, Alan Bateman wrote:
> On 13/11/2013 20:02, huizhe wang wrote:
>> The issue is that the limits applied to each processing process
>> rather than each file processing. This applies to not only StAX as
>> reported, but also other parsers and validators. The fix is to add
>> reset to XMLSecurityManager and call it upon each file processing.
>> XSLT Transform is verified fixed as the underlying parsers are fixed.
> This looks okay as a band-aid but won't this be replaced if fixed to
> have limits per document?
Each parser has its own copy of XMLSecurityManager that maintains the
values of the limits. The parser is reset before it starts to parse a
document. Resetting the values managed by XMLSecurityManager therefore
makes sure that the limits are per document.
Daniel sent me a private email to question if the reset in
PropertyManager is safe. He was right. I traced that back to the
previous patch in that the StAX parsers actually were sharing the same
XMLSecurityManager, and also XMLSecurityPropertyManager. I've changed
the code so that they are cloned.
More information about the core-libs-dev