You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-dev@xerces.apache.org by Elliotte Rusty Harold <el...@ibiblio.org> on 2014/08/08 18:55:34 UTC
Re: totalEntitySizeLimit
I can make SecureProcessingConfiguration recognize the SAX property
http://apache.org/xml/properties/total-entity-size-limit (i.e. you can get
it and set it.)
However there's something I'm missing in terms of making it actually pay
attention to it.
I've added this code to checkEntitySizeLimits:
// If a specific value is set on the reader use that; otherwise use
system value
int totalEntitySizeProperty = ((Number)
getProperty(TOTAL_ENTITY_SIZE_PROPERTY)).intValue();
int totalEntitySizeLimit = totalEntitySizeProperty > 0 ?
totalEntitySizeProperty
: TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE;
However my tests and the debugger tell me that nothing is ever
calling checkEntitySizeLimits. So there's probably something I don't
understand about setting up the parser. What I'm doing is this:
public class TotalEntitySizeTest extends TestCase {
private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME
= "http://apache.org/xml/properties/total-entity-size-limit";
public void testSAXTotalEntitySizeLimitSystemProperty() throws
Exception {
XMLReader reader = new SecureParser();
reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME,
Integer.valueOf(10000));
assertEquals(Integer.valueOf(10000),
reader.getProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME));
try {
reader.parse(new InputData("pEntitySP.xml"));
fail("Expected SAXParseException");
}
catch (SAXParseException se) {
assertTrue(se.getMessage().indexOf("\"10,000\"") != -1);
}
}
private static class SecureParser extends SAXParser {
SecureParser() {
super(new SecureProcessingConfiguration());
}
}
}
It fails with a heap out of memory. Any suggestions?
On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich <mr...@ca.ibm.com>
wrote:
> Was planning on only adding it to SecureProcessingConfiguration. Have been
> thinking about making it the default config in the next release.
>
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org
>
> Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/25/2014 02:30:10
> PM:
>
> > Should this property be supported by all configurations are just by
> > the SecureProcessingConfiguration?
> >
>
> > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich
> <mrglavas@ca.ibm.com
> > > wrote:
> > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014 04:08:58
> > PM:
> >
> > > From: Elliotte Rusty Harold <el...@ibiblio.org>
> > > To: j-dev@xerces.apache.org,
> > > Date: 07/08/2014 04:09 PM
> > > Subject: Re: totalEntitySizeLimit
> > >
> > > What name will be used?
>
> > Following naming conventions of Xerces' other properties it would
> probably
> > be something like:
> > http://apache.org/xml/properties/total-entity-size-limit. Still TBD.
> >
> > > Any plans for when the next release is likely to drop?
>
> > There's no date yet. Any discussion about that would happen on this
> > mailing list. We know we're long overdue though.
> >
> > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich
> > <mr...@ca.ibm.com>
> > > > wrote:
> > > There's been some work on the trunk for supporting similar function
> but
> > it
> > > won't be exposed with that Oracle property name.
> > >
> > > Michael Glavassevich
> > > XML Technologies and WAS Development
> > > IBM Toronto Lab
> > > E-mail: mrglavas@ca.ibm.com
> > > E-mail: mrglavas@apache.org
> > >
> > > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
> 12:30:07
> > > PM:
> > >
> > > > Is there any plan to implement the http://www.oracle.com/xml/jaxp/
> > > > properties/totalEntitySizeLimit property or equivalent in trunk
> > Xerces?
> > > >
> > > > It is supported for a few months now in the patched Xerces shipped
> > > > with the JDK 7.
> > > >
> > > > --
> > > > Elliotte Rusty Harold
> > > > elharo@ibiblio.org
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> > > For additional commands, e-mail: j-dev-help@xerces.apache.org
> > >
> > > --
> > > Elliotte Rusty Harold
> > > elharo@ibiblio.org
>
> > Thanks.
> >
> > Michael Glavassevich
> > XML Technologies and WAS Development
> > IBM Toronto Lab
> > E-mail: mrglavas@ca.ibm.com
> > E-mail: mrglavas@apache.org
> >
>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> > For additional commands, e-mail: j-dev-help@xerces.apache.org
>
> >
>
> >
> > --
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-dev-help@xerces.apache.org
>
>
--
Elliotte Rusty Harold
elharo@ibiblio.org
Re: totalEntitySizeLimit
Posted by Michael Glavassevich <mr...@ca.ibm.com>.
It's still on my TODO list but unfortunately haven't had any time (aside
from answering the odd e-mail) for Apache lately.
Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Elliotte Rusty Harold <el...@ibiblio.org> wrote on 09/19/2014 05:41:08
PM:
> Ping again. It's over a month now. Employer support for working on
> this may go away soon. :-(
>
> On Fri, Aug 15, 2014 at 10:35 AM, Michael Glavassevich
<mrglavas@ca.ibm.com
> > wrote:
> Been busy with my day job. Hope to take a look at it soon.
>
> Thanks.
>
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org
>
> Elliotte Rusty Harold <el...@ibiblio.org> wrote on 08/15/2014 10:31:27
> AM:
>
> > Ping. Any thoughts about this? I don't expect you to accept the
> > patch as is, but I would like to get the ball rolling.
> >
> > Thanks.
> >
>
> > On Fri, Aug 8, 2014 at 3:27 PM, Elliotte Rusty Harold
> <elharo@ibiblio.org
> > > wrote:
> > I'm attaching a patch. (I looked for a way to attach a patch in Jira
> > but couldn't find one.)
> >
> > Feel free to request revisions.
> >
>
> > On Fri, Aug 8, 2014 at 1:51 PM, Elliotte Rusty Harold
> <elharo@ibiblio.org
> > > wrote:
> >
> > OK this is weird. Apparently everything works if I set
> >
> > System.setProperty("jdk.xml.entityExpansionLimit", "0");
> >
> > and otherwise it doesn't. Somehow that triggers the use of the
> > SecureProcessingConfiguration. Can anyone explain why?
> >
> >
>
> > On Fri, Aug 8, 2014 at 12:55 PM, Elliotte Rusty Harold
> <elharo@ibiblio.org
> > > wrote:
> > I can make SecureProcessingConfiguration recognize the SAX property
> > http://apache.org/xml/properties/total-entity-size-limit (i.e. you
> > can get it and set it.)
> >
> > However there's something I'm missing in terms of making it
> > actually pay attention to it.
> >
> > I've added this code to checkEntitySizeLimits:
> >
> > // If a specific value is set on the reader use that;
> > otherwise use system value
> > int totalEntitySizeProperty = ((Number) getProperty
> > (TOTAL_ENTITY_SIZE_PROPERTY)).intValue();
> > int totalEntitySizeLimit = totalEntitySizeProperty > 0 ?
> > totalEntitySizeProperty
> > : TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE;
> >
> >
> > However my tests and the debugger tell me that nothing is ever
> > calling checkEntitySizeLimits. So there's probably something I don't
> > understand about setting up the parser. What I'm doing is this:
> >
> > public class TotalEntitySizeTest extends TestCase {
> >
> > private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME
> > = "http://apache.org/xml/properties/total-entity-size-limit";
> >
> > public void testSAXTotalEntitySizeLimitSystemProperty() throws
> Exception {
> > XMLReader reader = new SecureParser();
> > reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME,
> > Integer.valueOf(10000));
> > assertEquals(Integer.valueOf(10000), reader.getProperty
> > (TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME));
> >
> > try {
> > reader.parse(new InputData("pEntitySP.xml"));
> > fail("Expected SAXParseException");
> > }
> > catch (SAXParseException se) {
> > assertTrue(se.getMessage().indexOf("\"10,000\"") != -1);
> > }
> > }
> >
> > private static class SecureParser extends SAXParser {
> > SecureParser() {
> > super(new SecureProcessingConfiguration());
> > }
> > }
> >
> > }
> >
> > It fails with a heap out of memory. Any suggestions?
> >
> >
>
> > On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich
> <mrglavas@ca.ibm.com
> > > wrote:
> > Was planning on only adding it to SecureProcessingConfiguration. Have
> been
> > thinking about making it the default config in the next release.
> >
> > Michael Glavassevich
> > XML Technologies and WAS Development
> > IBM Toronto Lab
> > E-mail: mrglavas@ca.ibm.com
> > E-mail: mrglavas@apache.org
>
> > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/25/2014
02:30:10
> > PM:
> >
> > > Should this property be supported by all configurations are just by
> > > the SecureProcessingConfiguration?
> > >
> >
> > > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich
> > <mrglavas@ca.ibm.com
> > > > wrote:
> > > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
> 04:08:58
> > > PM:
> > >
> > > > From: Elliotte Rusty Harold <el...@ibiblio.org>
> > > > To: j-dev@xerces.apache.org,
> > > > Date: 07/08/2014 04:09 PM
> > > > Subject: Re: totalEntitySizeLimit
> > > >
> > > > What name will be used?
> >
> > > Following naming conventions of Xerces' other properties it would
> > probably
> > > be something like:
> > > http://apache.org/xml/properties/total-entity-size-limit. Still TBD.
> > >
> > > > Any plans for when the next release is likely to drop?
> >
> > > There's no date yet. Any discussion about that would happen on this
> > > mailing list. We know we're long overdue though.
> > >
> > > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich
> > > <mr...@ca.ibm.com>
> > > > > wrote:
> > > > There's been some work on the trunk for supporting similar
function
> > but
> > > it
> > > > won't be exposed with that Oracle property name.
> > > >
> > > > Michael Glavassevich
> > > > XML Technologies and WAS Development
> > > > IBM Toronto Lab
> > > > E-mail: mrglavas@ca.ibm.com
> > > > E-mail: mrglavas@apache.org
> > > >
> > > > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
> > 12:30:07
> > > > PM:
> > > >
> > > > > Is there any plan to implement the
http://www.oracle.com/xml/jaxp/
> > > > > properties/totalEntitySizeLimit property or equivalent in trunk
> > > Xerces?
> > > > >
> > > > > It is supported for a few months now in the patched Xerces
shipped
> > > > > with the JDK 7.
> > > > >
> > > > > --
> > > > > Elliotte Rusty Harold
> > > > > elharo@ibiblio.org
> > > >
> > > >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> > > > For additional commands, e-mail: j-dev-help@xerces.apache.org
> > > >
> > > > --
> > > > Elliotte Rusty Harold
> > > > elharo@ibiblio.org
> >
> > > Thanks.
> > >
> > > Michael Glavassevich
> > > XML Technologies and WAS Development
> > > IBM Toronto Lab
> > > E-mail: mrglavas@ca.ibm.com
> > > E-mail: mrglavas@apache.org
> > >
> >
> > >
---------------------------------------------------------------------
> > > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> > > For additional commands, e-mail: j-dev-help@xerces.apache.org
> >
> > >
> >
> > >
> > > --
> > > Elliotte Rusty Harold
> > > elharo@ibiblio.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> > For additional commands, e-mail: j-dev-help@xerces.apache.org
>
> >
>
> >
> > --
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
> >
>
> >
> > --
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
> >
>
> >
> > --
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
> >
>
> >
> > --
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-dev-help@xerces.apache.org
>
>
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-dev-help@xerces.apache.org
Re: totalEntitySizeLimit
Posted by Elliotte Rusty Harold <el...@ibiblio.org>.
Ping again. It's over a month now. Employer support for working on this may
go away soon. :-(
On Fri, Aug 15, 2014 at 10:35 AM, Michael Glavassevich <mr...@ca.ibm.com>
wrote:
> Been busy with my day job. Hope to take a look at it soon.
>
> Thanks.
>
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org
>
> Elliotte Rusty Harold <el...@ibiblio.org> wrote on 08/15/2014 10:31:27
> AM:
>
> > Ping. Any thoughts about this? I don't expect you to accept the
> > patch as is, but I would like to get the ball rolling.
> >
> > Thanks.
> >
>
> > On Fri, Aug 8, 2014 at 3:27 PM, Elliotte Rusty Harold
> <elharo@ibiblio.org
> > > wrote:
> > I'm attaching a patch. (I looked for a way to attach a patch in Jira
> > but couldn't find one.)
> >
> > Feel free to request revisions.
> >
>
> > On Fri, Aug 8, 2014 at 1:51 PM, Elliotte Rusty Harold
> <elharo@ibiblio.org
> > > wrote:
> >
> > OK this is weird. Apparently everything works if I set
> >
> > System.setProperty("jdk.xml.entityExpansionLimit", "0");
> >
> > and otherwise it doesn't. Somehow that triggers the use of the
> > SecureProcessingConfiguration. Can anyone explain why?
> >
> >
>
> > On Fri, Aug 8, 2014 at 12:55 PM, Elliotte Rusty Harold
> <elharo@ibiblio.org
> > > wrote:
> > I can make SecureProcessingConfiguration recognize the SAX property
> > http://apache.org/xml/properties/total-entity-size-limit (i.e. you
> > can get it and set it.)
> >
> > However there's something I'm missing in terms of making it
> > actually pay attention to it.
> >
> > I've added this code to checkEntitySizeLimits:
> >
> > // If a specific value is set on the reader use that;
> > otherwise use system value
> > int totalEntitySizeProperty = ((Number) getProperty
> > (TOTAL_ENTITY_SIZE_PROPERTY)).intValue();
> > int totalEntitySizeLimit = totalEntitySizeProperty > 0 ?
> > totalEntitySizeProperty
> > : TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE;
> >
> >
> > However my tests and the debugger tell me that nothing is ever
> > calling checkEntitySizeLimits. So there's probably something I don't
> > understand about setting up the parser. What I'm doing is this:
> >
> > public class TotalEntitySizeTest extends TestCase {
> >
> > private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME
> > = "http://apache.org/xml/properties/total-entity-size-limit";
> >
> > public void testSAXTotalEntitySizeLimitSystemProperty() throws
> Exception {
> > XMLReader reader = new SecureParser();
> > reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME,
> > Integer.valueOf(10000));
> > assertEquals(Integer.valueOf(10000), reader.getProperty
> > (TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME));
> >
> > try {
> > reader.parse(new InputData("pEntitySP.xml"));
> > fail("Expected SAXParseException");
> > }
> > catch (SAXParseException se) {
> > assertTrue(se.getMessage().indexOf("\"10,000\"") != -1);
> > }
> > }
> >
> > private static class SecureParser extends SAXParser {
> > SecureParser() {
> > super(new SecureProcessingConfiguration());
> > }
> > }
> >
> > }
> >
> > It fails with a heap out of memory. Any suggestions?
> >
> >
>
> > On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich
> <mrglavas@ca.ibm.com
> > > wrote:
> > Was planning on only adding it to SecureProcessingConfiguration. Have
> been
> > thinking about making it the default config in the next release.
> >
> > Michael Glavassevich
> > XML Technologies and WAS Development
> > IBM Toronto Lab
> > E-mail: mrglavas@ca.ibm.com
> > E-mail: mrglavas@apache.org
>
> > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/25/2014 02:30:10
> > PM:
> >
> > > Should this property be supported by all configurations are just by
> > > the SecureProcessingConfiguration?
> > >
> >
> > > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich
> > <mrglavas@ca.ibm.com
> > > > wrote:
> > > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
> 04:08:58
> > > PM:
> > >
> > > > From: Elliotte Rusty Harold <el...@ibiblio.org>
> > > > To: j-dev@xerces.apache.org,
> > > > Date: 07/08/2014 04:09 PM
> > > > Subject: Re: totalEntitySizeLimit
> > > >
> > > > What name will be used?
> >
> > > Following naming conventions of Xerces' other properties it would
> > probably
> > > be something like:
> > > http://apache.org/xml/properties/total-entity-size-limit. Still TBD.
> > >
> > > > Any plans for when the next release is likely to drop?
> >
> > > There's no date yet. Any discussion about that would happen on this
> > > mailing list. We know we're long overdue though.
> > >
> > > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich
> > > <mr...@ca.ibm.com>
> > > > > wrote:
> > > > There's been some work on the trunk for supporting similar function
> > but
> > > it
> > > > won't be exposed with that Oracle property name.
> > > >
> > > > Michael Glavassevich
> > > > XML Technologies and WAS Development
> > > > IBM Toronto Lab
> > > > E-mail: mrglavas@ca.ibm.com
> > > > E-mail: mrglavas@apache.org
> > > >
> > > > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
> > 12:30:07
> > > > PM:
> > > >
> > > > > Is there any plan to implement the http://www.oracle.com/xml/jaxp/
> > > > > properties/totalEntitySizeLimit property or equivalent in trunk
> > > Xerces?
> > > > >
> > > > > It is supported for a few months now in the patched Xerces shipped
> > > > > with the JDK 7.
> > > > >
> > > > > --
> > > > > Elliotte Rusty Harold
> > > > > elharo@ibiblio.org
> > > >
> > > >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> > > > For additional commands, e-mail: j-dev-help@xerces.apache.org
> > > >
> > > > --
> > > > Elliotte Rusty Harold
> > > > elharo@ibiblio.org
> >
> > > Thanks.
> > >
> > > Michael Glavassevich
> > > XML Technologies and WAS Development
> > > IBM Toronto Lab
> > > E-mail: mrglavas@ca.ibm.com
> > > E-mail: mrglavas@apache.org
> > >
> >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> > > For additional commands, e-mail: j-dev-help@xerces.apache.org
> >
> > >
> >
> > >
> > > --
> > > Elliotte Rusty Harold
> > > elharo@ibiblio.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> > For additional commands, e-mail: j-dev-help@xerces.apache.org
>
> >
>
> >
> > --
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
> >
>
> >
> > --
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
> >
>
> >
> > --
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
> >
>
> >
> > --
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-dev-help@xerces.apache.org
>
>
--
Elliotte Rusty Harold
elharo@ibiblio.org
Re: totalEntitySizeLimit
Posted by Michael Glavassevich <mr...@ca.ibm.com>.
Been busy with my day job. Hope to take a look at it soon.
Thanks.
Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Elliotte Rusty Harold <el...@ibiblio.org> wrote on 08/15/2014 10:31:27
AM:
> Ping. Any thoughts about this? I don't expect you to accept the
> patch as is, but I would like to get the ball rolling.
>
> Thanks.
>
> On Fri, Aug 8, 2014 at 3:27 PM, Elliotte Rusty Harold
<elharo@ibiblio.org
> > wrote:
> I'm attaching a patch. (I looked for a way to attach a patch in Jira
> but couldn't find one.)
>
> Feel free to request revisions.
>
> On Fri, Aug 8, 2014 at 1:51 PM, Elliotte Rusty Harold
<elharo@ibiblio.org
> > wrote:
>
> OK this is weird. Apparently everything works if I set
>
> System.setProperty("jdk.xml.entityExpansionLimit", "0");
>
> and otherwise it doesn't. Somehow that triggers the use of the
> SecureProcessingConfiguration. Can anyone explain why?
>
>
> On Fri, Aug 8, 2014 at 12:55 PM, Elliotte Rusty Harold
<elharo@ibiblio.org
> > wrote:
> I can make SecureProcessingConfiguration recognize the SAX property
> http://apache.org/xml/properties/total-entity-size-limit (i.e. you
> can get it and set it.)
>
> However there's something I'm missing in terms of making it
> actually pay attention to it.
>
> I've added this code to checkEntitySizeLimits:
>
> // If a specific value is set on the reader use that;
> otherwise use system value
> int totalEntitySizeProperty = ((Number) getProperty
> (TOTAL_ENTITY_SIZE_PROPERTY)).intValue();
> int totalEntitySizeLimit = totalEntitySizeProperty > 0 ?
> totalEntitySizeProperty
> : TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE;
>
>
> However my tests and the debugger tell me that nothing is ever
> calling checkEntitySizeLimits. So there's probably something I don't
> understand about setting up the parser. What I'm doing is this:
>
> public class TotalEntitySizeTest extends TestCase {
>
> private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME
> = "http://apache.org/xml/properties/total-entity-size-limit";
>
> public void testSAXTotalEntitySizeLimitSystemProperty() throws
Exception {
> XMLReader reader = new SecureParser();
> reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME,
> Integer.valueOf(10000));
> assertEquals(Integer.valueOf(10000), reader.getProperty
> (TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME));
>
> try {
> reader.parse(new InputData("pEntitySP.xml"));
> fail("Expected SAXParseException");
> }
> catch (SAXParseException se) {
> assertTrue(se.getMessage().indexOf("\"10,000\"") != -1);
> }
> }
>
> private static class SecureParser extends SAXParser {
> SecureParser() {
> super(new SecureProcessingConfiguration());
> }
> }
>
> }
>
> It fails with a heap out of memory. Any suggestions?
>
>
> On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich
<mrglavas@ca.ibm.com
> > wrote:
> Was planning on only adding it to SecureProcessingConfiguration. Have
been
> thinking about making it the default config in the next release.
>
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org
> Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/25/2014 02:30:10
> PM:
>
> > Should this property be supported by all configurations are just by
> > the SecureProcessingConfiguration?
> >
>
> > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich
> <mrglavas@ca.ibm.com
> > > wrote:
> > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
04:08:58
> > PM:
> >
> > > From: Elliotte Rusty Harold <el...@ibiblio.org>
> > > To: j-dev@xerces.apache.org,
> > > Date: 07/08/2014 04:09 PM
> > > Subject: Re: totalEntitySizeLimit
> > >
> > > What name will be used?
>
> > Following naming conventions of Xerces' other properties it would
> probably
> > be something like:
> > http://apache.org/xml/properties/total-entity-size-limit. Still TBD.
> >
> > > Any plans for when the next release is likely to drop?
>
> > There's no date yet. Any discussion about that would happen on this
> > mailing list. We know we're long overdue though.
> >
> > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich
> > <mr...@ca.ibm.com>
> > > > wrote:
> > > There's been some work on the trunk for supporting similar function
> but
> > it
> > > won't be exposed with that Oracle property name.
> > >
> > > Michael Glavassevich
> > > XML Technologies and WAS Development
> > > IBM Toronto Lab
> > > E-mail: mrglavas@ca.ibm.com
> > > E-mail: mrglavas@apache.org
> > >
> > > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
> 12:30:07
> > > PM:
> > >
> > > > Is there any plan to implement the http://www.oracle.com/xml/jaxp/
> > > > properties/totalEntitySizeLimit property or equivalent in trunk
> > Xerces?
> > > >
> > > > It is supported for a few months now in the patched Xerces shipped
> > > > with the JDK 7.
> > > >
> > > > --
> > > > Elliotte Rusty Harold
> > > > elharo@ibiblio.org
> > >
> > >
---------------------------------------------------------------------
> > > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> > > For additional commands, e-mail: j-dev-help@xerces.apache.org
> > >
> > > --
> > > Elliotte Rusty Harold
> > > elharo@ibiblio.org
>
> > Thanks.
> >
> > Michael Glavassevich
> > XML Technologies and WAS Development
> > IBM Toronto Lab
> > E-mail: mrglavas@ca.ibm.com
> > E-mail: mrglavas@apache.org
> >
>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> > For additional commands, e-mail: j-dev-help@xerces.apache.org
>
> >
>
> >
> > --
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-dev-help@xerces.apache.org
>
>
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
>
>
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
>
>
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
>
>
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-dev-help@xerces.apache.org
Re: totalEntitySizeLimit
Posted by Elliotte Rusty Harold <el...@ibiblio.org>.
Ping. Any thoughts about this? I don't expect you to accept the patch as
is, but I would like to get the ball rolling.
Thanks.
On Fri, Aug 8, 2014 at 3:27 PM, Elliotte Rusty Harold <el...@ibiblio.org>
wrote:
> I'm attaching a patch. (I looked for a way to attach a patch in Jira but
> couldn't find one.)
>
> Feel free to request revisions.
>
>
> On Fri, Aug 8, 2014 at 1:51 PM, Elliotte Rusty Harold <el...@ibiblio.org>
> wrote:
>
>>
>> OK this is weird. Apparently everything works if I set
>>
>> System.setProperty("jdk.xml.entityExpansionLimit", "0");
>>
>>
>> and otherwise it doesn't. Somehow that triggers the use of the
>> SecureProcessingConfiguration. Can anyone explain why?
>>
>>
>>
>>
>>
>>
>> On Fri, Aug 8, 2014 at 12:55 PM, Elliotte Rusty Harold <
>> elharo@ibiblio.org> wrote:
>>
>>> I can make SecureProcessingConfiguration recognize the SAX property
>>> http://apache.org/xml/properties/total-entity-size-limit (i.e. you can
>>> get it and set it.)
>>>
>>> However there's something I'm missing in terms of making it actually
>>> pay attention to it.
>>>
>>> I've added this code to checkEntitySizeLimits:
>>>
>>> // If a specific value is set on the reader use that; otherwise
>>> use system value
>>> int totalEntitySizeProperty = ((Number)
>>> getProperty(TOTAL_ENTITY_SIZE_PROPERTY)).intValue();
>>> int totalEntitySizeLimit = totalEntitySizeProperty > 0 ?
>>> totalEntitySizeProperty
>>> : TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE;
>>>
>>>
>>> However my tests and the debugger tell me that nothing is ever
>>> calling checkEntitySizeLimits. So there's probably something I don't
>>> understand about setting up the parser. What I'm doing is this:
>>>
>>> public class TotalEntitySizeTest extends TestCase {
>>>
>>> private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME
>>> = "http://apache.org/xml/properties/total-entity-size-limit";
>>>
>>> public void testSAXTotalEntitySizeLimitSystemProperty() throws
>>> Exception {
>>> XMLReader reader = new SecureParser();
>>> reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME,
>>> Integer.valueOf(10000));
>>> assertEquals(Integer.valueOf(10000),
>>> reader.getProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME));
>>>
>>> try {
>>> reader.parse(new InputData("pEntitySP.xml"));
>>> fail("Expected SAXParseException");
>>> }
>>> catch (SAXParseException se) {
>>> assertTrue(se.getMessage().indexOf("\"10,000\"") != -1);
>>> }
>>> }
>>>
>>> private static class SecureParser extends SAXParser {
>>> SecureParser() {
>>> super(new SecureProcessingConfiguration());
>>> }
>>> }
>>>
>>> }
>>>
>>>
>>> It fails with a heap out of memory. Any suggestions?
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich <
>>> mrglavas@ca.ibm.com> wrote:
>>>
>>>> Was planning on only adding it to SecureProcessingConfiguration. Have
>>>> been
>>>> thinking about making it the default config in the next release.
>>>>
>>>> Michael Glavassevich
>>>> XML Technologies and WAS Development
>>>> IBM Toronto Lab
>>>> E-mail: mrglavas@ca.ibm.com
>>>> E-mail: mrglavas@apache.org
>>>>
>>>> Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/25/2014 02:30:10
>>>> PM:
>>>>
>>>> > Should this property be supported by all configurations are just by
>>>> > the SecureProcessingConfiguration?
>>>> >
>>>>
>>>> > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich
>>>> <mrglavas@ca.ibm.com
>>>> > > wrote:
>>>> > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
>>>> 04:08:58
>>>> > PM:
>>>> >
>>>> > > From: Elliotte Rusty Harold <el...@ibiblio.org>
>>>> > > To: j-dev@xerces.apache.org,
>>>> > > Date: 07/08/2014 04:09 PM
>>>> > > Subject: Re: totalEntitySizeLimit
>>>> > >
>>>> > > What name will be used?
>>>>
>>>> > Following naming conventions of Xerces' other properties it would
>>>> probably
>>>> > be something like:
>>>> > http://apache.org/xml/properties/total-entity-size-limit. Still TBD.
>>>> >
>>>> > > Any plans for when the next release is likely to drop?
>>>>
>>>> > There's no date yet. Any discussion about that would happen on this
>>>> > mailing list. We know we're long overdue though.
>>>> >
>>>> > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich
>>>> > <mr...@ca.ibm.com>
>>>> > > > wrote:
>>>> > > There's been some work on the trunk for supporting similar function
>>>> but
>>>> > it
>>>> > > won't be exposed with that Oracle property name.
>>>> > >
>>>> > > Michael Glavassevich
>>>> > > XML Technologies and WAS Development
>>>> > > IBM Toronto Lab
>>>> > > E-mail: mrglavas@ca.ibm.com
>>>> > > E-mail: mrglavas@apache.org
>>>> > >
>>>> > > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
>>>> 12:30:07
>>>> > > PM:
>>>> > >
>>>> > > > Is there any plan to implement the
>>>> http://www.oracle.com/xml/jaxp/
>>>> > > > properties/totalEntitySizeLimit property or equivalent in trunk
>>>> > Xerces?
>>>> > > >
>>>> > > > It is supported for a few months now in the patched Xerces shipped
>>>> > > > with the JDK 7.
>>>> > > >
>>>> > > > --
>>>> > > > Elliotte Rusty Harold
>>>> > > > elharo@ibiblio.org
>>>> > >
>>>> > >
>>>> ---------------------------------------------------------------------
>>>> > > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
>>>> > > For additional commands, e-mail: j-dev-help@xerces.apache.org
>>>> > >
>>>> > > --
>>>> > > Elliotte Rusty Harold
>>>> > > elharo@ibiblio.org
>>>>
>>>> > Thanks.
>>>> >
>>>> > Michael Glavassevich
>>>> > XML Technologies and WAS Development
>>>> > IBM Toronto Lab
>>>> > E-mail: mrglavas@ca.ibm.com
>>>> > E-mail: mrglavas@apache.org
>>>> >
>>>>
>>>> > ---------------------------------------------------------------------
>>>> > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
>>>> > For additional commands, e-mail: j-dev-help@xerces.apache.org
>>>>
>>>> >
>>>>
>>>> >
>>>> > --
>>>> > Elliotte Rusty Harold
>>>> > elharo@ibiblio.org
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
>>>> For additional commands, e-mail: j-dev-help@xerces.apache.org
>>>>
>>>>
>>>
>>>
>>> --
>>> Elliotte Rusty Harold
>>> elharo@ibiblio.org
>>>
>>
>>
>>
>> --
>> Elliotte Rusty Harold
>> elharo@ibiblio.org
>>
>
>
>
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
>
--
Elliotte Rusty Harold
elharo@ibiblio.org
Re: totalEntitySizeLimit
Posted by Elliotte Rusty Harold <el...@ibiblio.org>.
I'm attaching a patch. (I looked for a way to attach a patch in Jira but
couldn't find one.)
Feel free to request revisions.
On Fri, Aug 8, 2014 at 1:51 PM, Elliotte Rusty Harold <el...@ibiblio.org>
wrote:
>
> OK this is weird. Apparently everything works if I set
>
> System.setProperty("jdk.xml.entityExpansionLimit", "0");
>
>
> and otherwise it doesn't. Somehow that triggers the use of the
> SecureProcessingConfiguration. Can anyone explain why?
>
>
>
>
>
>
> On Fri, Aug 8, 2014 at 12:55 PM, Elliotte Rusty Harold <elharo@ibiblio.org
> > wrote:
>
>> I can make SecureProcessingConfiguration recognize the SAX property
>> http://apache.org/xml/properties/total-entity-size-limit (i.e. you can
>> get it and set it.)
>>
>> However there's something I'm missing in terms of making it actually pay
>> attention to it.
>>
>> I've added this code to checkEntitySizeLimits:
>>
>> // If a specific value is set on the reader use that; otherwise
>> use system value
>> int totalEntitySizeProperty = ((Number)
>> getProperty(TOTAL_ENTITY_SIZE_PROPERTY)).intValue();
>> int totalEntitySizeLimit = totalEntitySizeProperty > 0 ?
>> totalEntitySizeProperty
>> : TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE;
>>
>>
>> However my tests and the debugger tell me that nothing is ever
>> calling checkEntitySizeLimits. So there's probably something I don't
>> understand about setting up the parser. What I'm doing is this:
>>
>> public class TotalEntitySizeTest extends TestCase {
>>
>> private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME
>> = "http://apache.org/xml/properties/total-entity-size-limit";
>>
>> public void testSAXTotalEntitySizeLimitSystemProperty() throws
>> Exception {
>> XMLReader reader = new SecureParser();
>> reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME,
>> Integer.valueOf(10000));
>> assertEquals(Integer.valueOf(10000),
>> reader.getProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME));
>>
>> try {
>> reader.parse(new InputData("pEntitySP.xml"));
>> fail("Expected SAXParseException");
>> }
>> catch (SAXParseException se) {
>> assertTrue(se.getMessage().indexOf("\"10,000\"") != -1);
>> }
>> }
>>
>> private static class SecureParser extends SAXParser {
>> SecureParser() {
>> super(new SecureProcessingConfiguration());
>> }
>> }
>>
>> }
>>
>>
>> It fails with a heap out of memory. Any suggestions?
>>
>>
>>
>>
>>
>> On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich <
>> mrglavas@ca.ibm.com> wrote:
>>
>>> Was planning on only adding it to SecureProcessingConfiguration. Have
>>> been
>>> thinking about making it the default config in the next release.
>>>
>>> Michael Glavassevich
>>> XML Technologies and WAS Development
>>> IBM Toronto Lab
>>> E-mail: mrglavas@ca.ibm.com
>>> E-mail: mrglavas@apache.org
>>>
>>> Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/25/2014 02:30:10
>>> PM:
>>>
>>> > Should this property be supported by all configurations are just by
>>> > the SecureProcessingConfiguration?
>>> >
>>>
>>> > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich
>>> <mrglavas@ca.ibm.com
>>> > > wrote:
>>> > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
>>> 04:08:58
>>> > PM:
>>> >
>>> > > From: Elliotte Rusty Harold <el...@ibiblio.org>
>>> > > To: j-dev@xerces.apache.org,
>>> > > Date: 07/08/2014 04:09 PM
>>> > > Subject: Re: totalEntitySizeLimit
>>> > >
>>> > > What name will be used?
>>>
>>> > Following naming conventions of Xerces' other properties it would
>>> probably
>>> > be something like:
>>> > http://apache.org/xml/properties/total-entity-size-limit. Still TBD.
>>> >
>>> > > Any plans for when the next release is likely to drop?
>>>
>>> > There's no date yet. Any discussion about that would happen on this
>>> > mailing list. We know we're long overdue though.
>>> >
>>> > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich
>>> > <mr...@ca.ibm.com>
>>> > > > wrote:
>>> > > There's been some work on the trunk for supporting similar function
>>> but
>>> > it
>>> > > won't be exposed with that Oracle property name.
>>> > >
>>> > > Michael Glavassevich
>>> > > XML Technologies and WAS Development
>>> > > IBM Toronto Lab
>>> > > E-mail: mrglavas@ca.ibm.com
>>> > > E-mail: mrglavas@apache.org
>>> > >
>>> > > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
>>> 12:30:07
>>> > > PM:
>>> > >
>>> > > > Is there any plan to implement the http://www.oracle.com/xml/jaxp/
>>> > > > properties/totalEntitySizeLimit property or equivalent in trunk
>>> > Xerces?
>>> > > >
>>> > > > It is supported for a few months now in the patched Xerces shipped
>>> > > > with the JDK 7.
>>> > > >
>>> > > > --
>>> > > > Elliotte Rusty Harold
>>> > > > elharo@ibiblio.org
>>> > >
>>> > > ---------------------------------------------------------------------
>>> > > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
>>> > > For additional commands, e-mail: j-dev-help@xerces.apache.org
>>> > >
>>> > > --
>>> > > Elliotte Rusty Harold
>>> > > elharo@ibiblio.org
>>>
>>> > Thanks.
>>> >
>>> > Michael Glavassevich
>>> > XML Technologies and WAS Development
>>> > IBM Toronto Lab
>>> > E-mail: mrglavas@ca.ibm.com
>>> > E-mail: mrglavas@apache.org
>>> >
>>>
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
>>> > For additional commands, e-mail: j-dev-help@xerces.apache.org
>>>
>>> >
>>>
>>> >
>>> > --
>>> > Elliotte Rusty Harold
>>> > elharo@ibiblio.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
>>> For additional commands, e-mail: j-dev-help@xerces.apache.org
>>>
>>>
>>
>>
>> --
>> Elliotte Rusty Harold
>> elharo@ibiblio.org
>>
>
>
>
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
>
--
Elliotte Rusty Harold
elharo@ibiblio.org
Re: totalEntitySizeLimit
Posted by Elliotte Rusty Harold <el...@ibiblio.org>.
OK this is weird. Apparently everything works if I set
System.setProperty("jdk.xml.entityExpansionLimit", "0");
and otherwise it doesn't. Somehow that triggers the use of the
SecureProcessingConfiguration. Can anyone explain why?
On Fri, Aug 8, 2014 at 12:55 PM, Elliotte Rusty Harold <el...@ibiblio.org>
wrote:
> I can make SecureProcessingConfiguration recognize the SAX property
> http://apache.org/xml/properties/total-entity-size-limit (i.e. you can
> get it and set it.)
>
> However there's something I'm missing in terms of making it actually pay
> attention to it.
>
> I've added this code to checkEntitySizeLimits:
>
> // If a specific value is set on the reader use that; otherwise
> use system value
> int totalEntitySizeProperty = ((Number)
> getProperty(TOTAL_ENTITY_SIZE_PROPERTY)).intValue();
> int totalEntitySizeLimit = totalEntitySizeProperty > 0 ?
> totalEntitySizeProperty
> : TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE;
>
>
> However my tests and the debugger tell me that nothing is ever
> calling checkEntitySizeLimits. So there's probably something I don't
> understand about setting up the parser. What I'm doing is this:
>
> public class TotalEntitySizeTest extends TestCase {
>
> private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME
> = "http://apache.org/xml/properties/total-entity-size-limit";
>
> public void testSAXTotalEntitySizeLimitSystemProperty() throws
> Exception {
> XMLReader reader = new SecureParser();
> reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME,
> Integer.valueOf(10000));
> assertEquals(Integer.valueOf(10000),
> reader.getProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME));
>
> try {
> reader.parse(new InputData("pEntitySP.xml"));
> fail("Expected SAXParseException");
> }
> catch (SAXParseException se) {
> assertTrue(se.getMessage().indexOf("\"10,000\"") != -1);
> }
> }
>
> private static class SecureParser extends SAXParser {
> SecureParser() {
> super(new SecureProcessingConfiguration());
> }
> }
>
> }
>
>
> It fails with a heap out of memory. Any suggestions?
>
>
>
>
>
> On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich <
> mrglavas@ca.ibm.com> wrote:
>
>> Was planning on only adding it to SecureProcessingConfiguration. Have been
>> thinking about making it the default config in the next release.
>>
>> Michael Glavassevich
>> XML Technologies and WAS Development
>> IBM Toronto Lab
>> E-mail: mrglavas@ca.ibm.com
>> E-mail: mrglavas@apache.org
>>
>> Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/25/2014 02:30:10
>> PM:
>>
>> > Should this property be supported by all configurations are just by
>> > the SecureProcessingConfiguration?
>> >
>>
>> > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich
>> <mrglavas@ca.ibm.com
>> > > wrote:
>> > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014 04:08:58
>> > PM:
>> >
>> > > From: Elliotte Rusty Harold <el...@ibiblio.org>
>> > > To: j-dev@xerces.apache.org,
>> > > Date: 07/08/2014 04:09 PM
>> > > Subject: Re: totalEntitySizeLimit
>> > >
>> > > What name will be used?
>>
>> > Following naming conventions of Xerces' other properties it would
>> probably
>> > be something like:
>> > http://apache.org/xml/properties/total-entity-size-limit. Still TBD.
>> >
>> > > Any plans for when the next release is likely to drop?
>>
>> > There's no date yet. Any discussion about that would happen on this
>> > mailing list. We know we're long overdue though.
>> >
>> > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich
>> > <mr...@ca.ibm.com>
>> > > > wrote:
>> > > There's been some work on the trunk for supporting similar function
>> but
>> > it
>> > > won't be exposed with that Oracle property name.
>> > >
>> > > Michael Glavassevich
>> > > XML Technologies and WAS Development
>> > > IBM Toronto Lab
>> > > E-mail: mrglavas@ca.ibm.com
>> > > E-mail: mrglavas@apache.org
>> > >
>> > > Elliotte Rusty Harold <el...@ibiblio.org> wrote on 07/08/2014
>> 12:30:07
>> > > PM:
>> > >
>> > > > Is there any plan to implement the http://www.oracle.com/xml/jaxp/
>> > > > properties/totalEntitySizeLimit property or equivalent in trunk
>> > Xerces?
>> > > >
>> > > > It is supported for a few months now in the patched Xerces shipped
>> > > > with the JDK 7.
>> > > >
>> > > > --
>> > > > Elliotte Rusty Harold
>> > > > elharo@ibiblio.org
>> > >
>> > > ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
>> > > For additional commands, e-mail: j-dev-help@xerces.apache.org
>> > >
>> > > --
>> > > Elliotte Rusty Harold
>> > > elharo@ibiblio.org
>>
>> > Thanks.
>> >
>> > Michael Glavassevich
>> > XML Technologies and WAS Development
>> > IBM Toronto Lab
>> > E-mail: mrglavas@ca.ibm.com
>> > E-mail: mrglavas@apache.org
>> >
>>
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
>> > For additional commands, e-mail: j-dev-help@xerces.apache.org
>>
>> >
>>
>> >
>> > --
>> > Elliotte Rusty Harold
>> > elharo@ibiblio.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
>> For additional commands, e-mail: j-dev-help@xerces.apache.org
>>
>>
>
>
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
>
--
Elliotte Rusty Harold
elharo@ibiblio.org