Question regarding "Entity Expansion in JAXB", "-DentityExpansionLimit" and "8017298: Better XML support"
Alan.Bateman at oracle.com
Thu Nov 7 18:05:46 UTC 2013
On 07/11/2013 17:33, Volker Simonis wrote:
> I have a question related to change "8017298: Better XML support"
> which went into the last security update. Because it was considered a
> security fix, there's not much information available (i.e. no webrev,
> no bug description, no discussion on the public mailing lists).
> As far as I can see, the "entityExpansionLimit" for JAXB has been
> there since Java 5 and according to Blaise Doughan blog at
> it should have been enabled by default together with the
> XMLConstants.FEATURE_SECURE_PROCESSING feature.
> Now we have a customer who claims that after upgrading to 7u45 he gets
> an execption because of too many entity expansions. The customer
> explicitly sets "-DentityExpansionLimit=1".
> For us it seems as if before change "8017298: Better XML support"
> there must have been places in the libraries which ignored the
> "entityExpansionLimit" setting even if this was explicitly specified
> by the user. Can somebody confirm this assumption or is our customer
> facing another problem?
This might be useful:
More information about the core-libs-dev