You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/09/21 13:46:00 UTC

[jira] [Commented] (TIKA-2731) Unecessary call to System.getProperties() in XMLReaderUtils

    [ https://issues.apache.org/jira/browse/TIKA-2731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16623638#comment-16623638 ] 

ASF GitHub Bot commented on TIKA-2731:
--------------------------------------

jkakavas opened a new pull request #250: fix for TIKA-2731 contributed by @jkakavas
URL: https://github.com/apache/tika/pull/250
 
 
   As part of the changes introduced in 1.19 `determineMaxEntityExpansions` needs to read the `jdk.xml.entityExpansionLimit` System Property in order to overwrite the default value of 20, if it is set.
   This is however by reading all System Properties with `System#getProperties()` and attempting to find the relevant key in the properties Object. The issue with this approach is that `System#getProperties()` requires:
   ```
   java.util.PropertyPermission "*", "read,write"
   ```
   which is an overly permissive one to allow for the given use case.
   
   A more sane approach, following the least privilege design principal would be to use `System.getProperty()` for the specific property that only requires
   ```
   java.util.PropertyPermission "jdk.xml.entityExpansionLimit", "read"
   ```
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Unecessary call to System.getProperties() in XMLReaderUtils
> -----------------------------------------------------------
>
>                 Key: TIKA-2731
>                 URL: https://issues.apache.org/jira/browse/TIKA-2731
>             Project: Tika
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.19
>            Reporter: Ioannis Kakavas
>            Priority: Major
>             Fix For: 1.20
>
>
> As part of the changes introduced in [1.19 |https://github.com/apache/tika/commit/4e67928412ad56333d400f3728ecdb59d07d9d63] determineMaxEntityExpansions needs to read the jdk.xml.entityExpansionLimit System Property in order to overwrite the default value of 20, if it is set. 
> This is however by reading all System Properties with System.getProperties() and attempting to find the relevant key in the properties Object. The issue with this approach is that getProperties() requires 
> {noformat}java.util.PropertyPermission "*", "read,write"{noformat}
> which is overly permissive.
> A more sane approach, following the least privilege design principal would be to use System.getProperty() for the specific property that only requires 
> {noformat}java.util.PropertyPermission "jdk.xml.entityExpansionLimit", "read"{noformat}
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)