[jira] [Resolved] (SLING-8775) java.lang.StackOverflowError in XSSAPIImpl.getValidHref for long URLs

Fri, 25 Oct 2019 07:41:24 -0700 


     [ 
https://issues.apache.org/jira/browse/SLING-8775?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Radu Cotescu resolved SLING-8775.
---------------------------------
    Resolution: Fixed

Fixed in [commit 
89dcfd4|https://github.com/apache/sling-org-apache-sling-xss/commit/89dcfd4].

> java.lang.StackOverflowError in XSSAPIImpl.getValidHref for long URLs
> ---------------------------------------------------------------------
>
>                 Key: SLING-8775
>                 URL: https://issues.apache.org/jira/browse/SLING-8775
>             Project: Sling
>          Issue Type: Bug
>          Components: XSS Protection API
>    Affects Versions: XSS Protection API 2.1.0, XSS Protection API 2.0.8, XSS 
> Protection API 2.0.10, XSS Protection API 2.0.12, XSS Protection API 2.0.14, 
> XSS Protection API 2.1.6, XSS Protection API 2.1.8
>            Reporter: Antonio Sanso
>            Assignee: Radu Cotescu
>            Priority: Major
>             Fix For: XSS Protection API 2.1.10
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> The regex patterns defined in AntiSamy's configuration file can throw a 
> StackOverflowError for long URLs (1700 characters or more).
> {code:java}
> Caused by: java.lang.StackOverflowError
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at 
> java.base/java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3951)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at 
> java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
>       at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
>       at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
>       at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
>       at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
>       at 
> java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to