Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6315411

Default value of the Entity Expansion Limit

    Details

    • Type: Enhancement
    • Status: Resolved
    • Priority: P4
    • Resolution: Won't Fix
    • Affects Version/s: 5.0u55, 6u65, 7u45, 8
    • Fix Version/s: tbd_minor
    • Component/s: xml
    • Labels:
    • Subcomponent:
    • CPU:
      x86
    • OS:
      windows_2000

      Description

      A DESCRIPTION OF THE REQUEST :
      While the reason behind entityExpansionLimit seems valid (DoS) I am not sure if the solution has been rationally exposed.

      - The rational behind using 64,000 as the default value seems questionable to begin with.

      - Further, there should be a semantic for specifying infinite or no limit as the value.

      - Currently, other than system properties, there is no good way of modifying the value at a parser level for SAX parsing.

      - Also, the entity expansion counting design should probably be revised.
      All entity usage are counted currently, while to me, it makes sense to do that only for UNIQUE entities used in the XML. Thus, if I just use   64,001 times in an XML, I would end up getting a SAXParseException for entity expansion. If I understand it correctly, all   entities should have mapped to a single hashmap/hashtable value here. Not sure then, why all their usages are accounted for. Can duplicate entity usages in a XML as above really contribute to DoS ?

      Thanks

      JUSTIFICATION :
      Quite a few people have working systems using older jre and xalan/xerces. Its not unlikely that they have encoded XMLs with several system entities (  , > etc...).
      For such cases, it quite tedious to have to deal with entity expansion limit problems while porting to 1.4.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      As above it would be good if we

      [1] evaluate the reason behind using 64K as the default

      [2] provide a semantic for specifying "no limit" for entity expansion limit.

      [3] better support for changing limit value for SAX parsers.

      [4] evaluate the design/implementation of entity expansion counting -> does the counter need to increment for duplicate entity usages ?
      ACTUAL -
      --- described above ---

      ---------- BEGIN SOURCE ----------
      --- any parsing code should help see the problem. the test xml needs to have more than 64000 entities. ---
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      --- set the entityExpansionLimit to a high value ---

        Issue Links

          Activity

          Hide
          jsuttorsunw Jeff Suttor (Inactive) added a comment -
          BT2:EVALUATION

          meeting these needs will require public API and possible compatibility changes so this is being targeted to JAXP.next.
          Show
          jsuttorsunw Jeff Suttor (Inactive) added a comment - BT2:EVALUATION meeting these needs will require public API and possible compatibility changes so this is being targeted to JAXP.next.
          Hide
          joehw Joe Wang added a comment -
          The proposed enhancement has been resolved through JDK-8014530 except [1] 64K as the default. Refer also to Processing Limits: http://docs.oracle.com/javase/tutorial/jaxp/limits/index.html

          I would like us to consider increasing the limit.
          Show
          joehw Joe Wang added a comment - The proposed enhancement has been resolved through JDK-8014530 except [1] 64K as the default. Refer also to Processing Limits: http://docs.oracle.com/javase/tutorial/jaxp/limits/index.html I would like us to consider increasing the limit.
          Hide
          joehw Joe Wang added a comment -
          P3 to P4: not critical since we are fixing the issue through JDK-8028111.
          Show
          joehw Joe Wang added a comment - P3 to P4: not critical since we are fixing the issue through JDK-8028111 .
          Hide
          joehw Joe Wang added a comment -
          No need for this enhancement request anymore after the works around all of the jaxp limits.
          Show
          joehw Joe Wang added a comment - No need for this enhancement request anymore after the works around all of the jaxp limits.

            People

            • Assignee:
              joehw Joe Wang
              Reporter:
              gmanwanisunw Girish Manwani (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved:
                Imported:
                Indexed: