You are viewing a plain text version of this content. The canonical link for it is here.

Posted to j-users@xerces.apache.org by Behrang Saeedzadeh <be...@gmail.com> on 2017/12/23 23:02:55 UTC

How to programmatically disable the TOTAL_ENTITY_SIZE_LIMIT limit?

Hi

JDK is using Xerces by default for StAX and some other XML related APIs.

This implementation
uses com.sun.org.apache.xerces.internal.utils.XMLSecurityManager as the XML
security manager and has a limit
of com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit#TOTAL_ENTITY_SIZE_LIMIT
(5,000,000) enabled by default.

Is there a way to programmatically disable this limit when using StAX?

For example, when creating an XMLInputFactory and XMLEventReader:

final XMLInputFactory inputFactory = XMLInputFactory.newInstance();

final XMLEventReader eventReader =
inputFactory.createXMLEventReader(inputStream);



Best regards,
Behrang Saeedzadeh

Re: How to programmatically disable the TOTAL_ENTITY_SIZE_LIMIT limit?

Posted by Michael Glavassevich <mr...@ca.ibm.com>.

Xerces does not have an implementation of 
javax.xml.stream.XMLStreamReader. It seems that you are using Oracle's 
JAXP implementation. You're more likely to get a helpful answer on one of 
their forums.

Thanks.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

Behrang Saeedzadeh <be...@gmail.com> wrote on 12/23/2017 06:20:09 PM:

> Apparently it can be disabled globally using the 
> "jdk.xml.totalEntitySizeLimit":
> System.setProperty("jdk.xml.totalEntitySizeLimit", "0");
> But I was wondering if it can be disabled on a given XMLEventReader 
> or javax.xml.stream.XMLStreamReader?
> 
> Best regards,
> Behrang Saeedzadeh
> 
> On 24 December 2017 at 10:02, Behrang Saeedzadeh <be...@gmail.com> 
wrote:
> Hi
> 
> JDK is using Xerces by default for StAX and some other XML related APIs.
> 
> This implementation 
> uses com.sun.org.apache.xerces.internal.utils.XMLSecurityManager as 
> the XML security manager and has a limit 
> 
of com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit#TOTAL_ENTITY_SIZE_LIMIT
> (5,000,000) enabled by default.
> 
> Is there a way to programmatically disable this limit when using StAX?
> 
> For example, when creating an XMLInputFactory and XMLEventReader:
> 
> final XMLInputFactory inputFactory = XMLInputFactory.newInstance();

> final XMLEventReader eventReader = inputFactory.createXMLEventReader
> (inputStream);
> 
> Best regards,
> Behrang Saeedzadeh

Re: How to programmatically disable the TOTAL_ENTITY_SIZE_LIMIT limit?

Posted by Behrang Saeedzadeh <be...@gmail.com>.

Apparently it can be disabled globally using the
"jdk.xml.totalEntitySizeLimit":

System.setProperty("jdk.xml.totalEntitySizeLimit", "0");

But I was wondering if it can be disabled on a given XMLEventReader or
javax.xml.stream.XMLStreamReader?

Best regards,
Behrang Saeedzadeh

On 24 December 2017 at 10:02, Behrang Saeedzadeh <be...@gmail.com>
wrote:

> Hi
>
> JDK is using Xerces by default for StAX and some other XML related APIs.
>
> This implementation uses com.sun.org.apache.xerces.internal.utils.XMLSecurityManager
> as the XML security manager and has a limit of com.sun.org.apache.xerces.
> internal.utils.XMLSecurityManager.Limit#TOTAL_ENTITY_SIZE_LIMIT
> (5,000,000) enabled by default.
>
> Is there a way to programmatically disable this limit when using StAX?
>
> For example, when creating an XMLInputFactory and XMLEventReader:
>
> final XMLInputFactory inputFactory = XMLInputFactory.newInstance();
>
> final XMLEventReader eventReader = inputFactory.createXMLEventReader(inputStream);
>
>
>
> Best regards,
> Behrang Saeedzadeh
>