https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #7 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Christopher Schultz from comment #6)
> I'm still curious as to why the SAX parser is warning of deep entity
> replacements, here, when I only see a single level.
Another "duh": this isn't about limits on entity expansion depth. Just the
expansion *count*.
So if you have a document like this:
<!ENTITY foo "bar">
&foo;
&foo;
&foo;
&foo;
&foo;
You'll need to have an entityExpansionLimit of 5 or more in order to allow the
document to be parsed without error.
This has nothing to do with the billion laughs attack, except that
entityExpansionLimit can be used to limit the total number of replacements
(which indeed can effectively mitigate the billion-laughs attack). By limiting
the number of replacements to "1" you are effectively disabling all use of XML
entities, which isn't really practical.
I think the JAXP security settings you are looking for are more like these:
XMLConstants.FEATURE_SECURE_PROCESSING
http://xml.org/sax/features/external-general-entities
http://xml.org/sax/features/external-parameter-entities
I'm not convinced Tomcat should fix this bug, yet, but if Tomcat does fix this,
it will be by explicitly-allowing entity expansion when parsing its own files,
which may be a violation of the security policies which your organization sets.
I'm not sure if there is a good solution, here, for you, other than removing
the DOCTYPE definitions.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
