RFR (JAXP): 8028111 : XML readers share the same entity expansion counter
huizhe.wang at oracle.com
Thu Nov 14 16:09:51 UTC 2013
On 11/14/2013 2:51 AM, Alan Bateman wrote:
> On 13/11/2013 22:08, huizhe wang wrote:
>> Each parser has its own copy of XMLSecurityManager that maintains the
>> values of the limits. The parser is reset before it starts to parse a
>> document. Resetting the values managed by XMLSecurityManager
>> therefore makes sure that the limits are per document.
>> Daniel sent me a private email to question if the reset in
>> PropertyManager is safe. He was right. I traced that back to the
>> previous patch in that the StAX parsers actually were sharing the
>> same XMLSecurityManager, and also XMLSecurityPropertyManager. I've
>> changed the code so that they are cloned.
> Sorry about that, having it called XMLSecurityManager when it's not a
> SecurityManager is always confusing. In that case, it looks okay to me.
It was worse if you remember we changed it to XMLSecurityManager from
SecurityManager in the 7u45 release, so at least it's XML security
manager, not security manager SecurityManager :-)
We can refactor it easily if it's annoying to read. But probably next
time when we have a bit more time.
More information about the core-libs-dev