Ioannis Kakavas created TIKA-2731:
-------------------------------------
Summary: Unecessary call to System.getProperties() in
XMLReaderUtils
Key: TIKA-2731
URL: https://issues.apache.org/jira/browse/TIKA-2731
Project: Tika
Issue Type: Improvement
Components: core
Affects Versions: 1.19
Reporter: Ioannis Kakavas
Fix For: 1.20
As part of the changes introduced in [1.19
|https://github.com/apache/tika/commit/4e67928412ad56333d400f3728ecdb59d07d9d63]
determineMaxEntityExpansions needs to read the jdk.xml.entityExpansionLimit
System Property in order to overwrite the default value of 20, if it is set.
This is however by reading all System Properties with System.getProperties()
and attempting to find the relevant key in the properties Object. The issue
with this approach is that getProperties() requires
{noformat}java.util.PropertyPermission "*", "read,write"{noformat}
which is overly permissive.
A more sane approach, following the least privilege design principal would be
to use System.getProperty() for the specific property that only requires
{noformat}java.util.PropertyPermission "jdk.xml.entityExpansionLimit",
"read"{noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
