Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6315411

Default value of the Entity Expansion Limit

    Details

    • Type: Enhancement
    • Status: Resolved
    • Priority: P4
    • Resolution: Won't Fix
    • Affects Version/s: 5.0u55, 6u65, 7u45, 8
    • Fix Version/s: tbd_minor
    • Component/s: xml
    • Labels:
    • Subcomponent:
    • CPU:
      x86
    • OS:
      windows_2000

      Description

      A DESCRIPTION OF THE REQUEST :
      While the reason behind entityExpansionLimit seems valid (DoS) I am not sure if the solution has been rationally exposed.

      - The rational behind using 64,000 as the default value seems questionable to begin with.

      - Further, there should be a semantic for specifying infinite or no limit as the value.

      - Currently, other than system properties, there is no good way of modifying the value at a parser level for SAX parsing.

      - Also, the entity expansion counting design should probably be revised.
      All entity usage are counted currently, while to me, it makes sense to do that only for UNIQUE entities used in the XML. Thus, if I just use   64,001 times in an XML, I would end up getting a SAXParseException for entity expansion. If I understand it correctly, all   entities should have mapped to a single hashmap/hashtable value here. Not sure then, why all their usages are accounted for. Can duplicate entity usages in a XML as above really contribute to DoS ?

      Thanks

      JUSTIFICATION :
      Quite a few people have working systems using older jre and xalan/xerces. Its not unlikely that they have encoded XMLs with several system entities (  , > etc...).
      For such cases, it quite tedious to have to deal with entity expansion limit problems while porting to 1.4.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      As above it would be good if we

      [1] evaluate the reason behind using 64K as the default

      [2] provide a semantic for specifying "no limit" for entity expansion limit.

      [3] better support for changing limit value for SAX parsers.

      [4] evaluate the design/implementation of entity expansion counting -> does the counter need to increment for duplicate entity usages ?
      ACTUAL -
      --- described above ---

      ---------- BEGIN SOURCE ----------
      --- any parsing code should help see the problem. the test xml needs to have more than 64000 entities. ---
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      --- set the entityExpansionLimit to a high value ---

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                joehw Joe Wang
                Reporter:
                gmanwanisunw Girish Manwani (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: