You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@poi.apache.org by fa...@apache.org on 2018/08/11 11:03:20 UTC
svn commit: r1837864 -
/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
Author: fanningpj
Date: Sat Aug 11 11:03:20 2018
New Revision: 1837864
URL: http://svn.apache.org/viewvc?rev=1837864&view=rev
Log:
reduce entity expansion limit
Modified:
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
Modified: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java?rev=1837864&r1=1837863&r2=1837864&view=diff
==============================================================================
--- xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java (original)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java Sat Aug 11 11:03:20 2018
@@ -33,6 +33,11 @@ import org.xml.sax.XMLReader;
* Provides handy methods for working with SAX parsers and readers
*/
public final class SAXHelper {
+ public static final String PROPERTY_ENTITY_EXPANSION_LIMIT = "xmlbeans.sax.entity.expansion.limit";
+ public static final int DEFAULT_ENTITY_EXPANSION_LIMIT = 10;
+ private static final int ENTITY_EXPANSION_LIMIT = Integer.getInteger(PROPERTY_ENTITY_EXPANSION_LIMIT, DEFAULT_ENTITY_EXPANSION_LIMIT);
+ private static final String XML_PROPERTY_ENTITY_EXPANSION_LIMIT = "http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";
+ private static final String XML_PROPERTY_SECURITY_MANAGER = "http://apache.org/xml/properties/security-manager";
private static final XBLogger logger = XBLogFactory.getLogger(SAXHelper.class);
private static long lastLog;
@@ -77,14 +82,14 @@ public final class SAXHelper {
private static void trySetXercesSecurityManager(XMLReader xmlReader) {
// Try built-in JVM one first, standalone if not
for (String securityManagerClassName : new String[] {
- "com.sun.org.apache.xerces.internal.util.SecurityManager",
+ //"com.sun.org.apache.xerces.internal.util.SecurityManager",
"org.apache.xerces.util.SecurityManager"
}) {
try {
Object mgr = Class.forName(securityManagerClassName).newInstance();
Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
- setLimit.invoke(mgr, 4096);
- xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr);
+ setLimit.invoke(mgr, ENTITY_EXPANSION_LIMIT);
+ xmlReader.setProperty(XML_PROPERTY_SECURITY_MANAGER, mgr);
// Stop once one can be setup without error
return;
} catch (Throwable e) { // NOSONAR - also catch things like NoClassDefError here
@@ -95,5 +100,16 @@ public final class SAXHelper {
}
}
}
+
+ // separate old version of Xerces not found => use the builtin way of setting the property
+ try {
+ xmlReader.setProperty(XML_PROPERTY_ENTITY_EXPANSION_LIMIT, ENTITY_EXPANSION_LIMIT);
+ } catch (SAXException e) { // NOSONAR - also catch things like NoClassDefError here
+ // throttle the log somewhat as it can spam the log otherwise
+ if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) {
+ logger.log(XBLogger.WARN, "SAX Security Manager could not be setup [log suppressed for 5 minutes]", e);
+ lastLog = System.currentTimeMillis();
+ }
+ }
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org