RFR (JAXP): 8028111 : XML readers share the same entity expansion counter

huizhe wang huizhe.wang at oracle.com
Wed Nov 13 22:08:29 UTC 2013

On 11/13/2013 1:33 PM, Alan Bateman wrote:
> On 13/11/2013 20:02, huizhe wang wrote:
>> Hi,
>> The issue is that the limits applied to each processing process 
>> rather than each file processing. This applies to not only StAX as 
>> reported, but also other parsers and validators. The fix is to add 
>> reset to XMLSecurityManager and call it upon each file processing. 
>> XSLT Transform is verified fixed as the underlying parsers are fixed.
>> webrev:
>> http://cr.openjdk.java.net/~joehw/jdk8/8028111/webrev/
> This looks okay as a band-aid but won't this be replaced if fixed to 
> have limits per document?

Each parser has its own copy of XMLSecurityManager that maintains the 
values of the limits. The parser is reset before it starts to parse a 
document. Resetting the values managed by XMLSecurityManager therefore 
makes sure that the limits are per document.

Daniel sent me a private email to question if the reset in 
PropertyManager is safe. He was right. I traced that back to the 
previous patch in that the StAX parsers actually were sharing the same 
XMLSecurityManager, and also XMLSecurityPropertyManager. I've changed 
the code so that they are cloned.



> -Alan.

More information about the core-libs-dev mailing list