RFR (JAXP): 8028111 : XML readers share the same entity expansion counter
daniel.fuchs at oracle.com
Thu Nov 14 17:12:22 UTC 2013
The new webrev looks good...
On 11/13/13 11:08 PM, huizhe wang wrote:
> On 11/13/2013 1:33 PM, Alan Bateman wrote:
>> On 13/11/2013 20:02, huizhe wang wrote:
>>> The issue is that the limits applied to each processing process
>>> rather than each file processing. This applies to not only StAX as
>>> reported, but also other parsers and validators. The fix is to add
>>> reset to XMLSecurityManager and call it upon each file processing.
>>> XSLT Transform is verified fixed as the underlying parsers are fixed.
>> This looks okay as a band-aid but won't this be replaced if fixed to
>> have limits per document?
> Each parser has its own copy of XMLSecurityManager that maintains the
> values of the limits. The parser is reset before it starts to parse a
> document. Resetting the values managed by XMLSecurityManager therefore
> makes sure that the limits are per document.
> Daniel sent me a private email to question if the reset in
> PropertyManager is safe. He was right. I traced that back to the
> previous patch in that the StAX parsers actually were sharing the same
> XMLSecurityManager, and also XMLSecurityPropertyManager. I've changed
> the code so that they are cloned.
More information about the core-libs-dev