Question regarding "Entity Expansion in JAXB", "-DentityExpansionLimit" and "8017298: Better XML support"
Alan Bateman
Alan.Bateman at oracle.com
Thu Nov 7 18:05:46 UTC 2013
On 07/11/2013 17:33, Volker Simonis wrote:
> Hi,
>
> I have a question related to change "8017298: Better XML support"
> which went into the last security update. Because it was considered a
> security fix, there's not much information available (i.e. no webrev,
> no bug description, no discussion on the public mailing lists).
>
> As far as I can see, the "entityExpansionLimit" for JAXB has been
> there since Java 5 and according to Blaise Doughan blog at
> http://blog.bdoughan.com/2011/03/preventing-entity-expansion-attacks-in.html
> it should have been enabled by default together with the
> XMLConstants.FEATURE_SECURE_PROCESSING feature.
>
> Now we have a customer who claims that after upgrading to 7u45 he gets
> an execption because of too many entity expansions. The customer
> explicitly sets "-DentityExpansionLimit=1".
>
> For us it seems as if before change "8017298: Better XML support"
> there must have been places in the libraries which ignored the
> "entityExpansionLimit" setting even if this was explicitly specified
> by the user. Can somebody confirm this assumption or is our customer
> facing another problem?
This might be useful:
http://docs.oracle.com/javase/tutorial/jaxp/limits/index.html
-Alan.
More information about the core-libs-dev
mailing list