ppkarwasz commented on code in PR #22:
URL: https://github.com/apache/commons-xml/pull/22#discussion_r3552469973
##########
src/test/java/org/apache/commons/xml/AttackTestSupport.java:
##########
@@ -347,8 +376,9 @@ static void assertPermissiveStaxParses(final String
payload) {
assertParseSucceeds(() -> {
final XMLInputFactory factory = XMLInputFactory.newInstance();
suppressException(() ->
factory.setProperty(XMLConstants.FEATURE_SECURE_PROCESSING, false));
- // URL form of the JDK property; JDK 8's
XMLSecurityManager.getIndex only matches this form, JDK 11+ accepts both.
- suppressException(() ->
factory.setProperty(JDK_ENTITY_EXPANSION_LIMIT, "0"));
+ liftJdkEntityLimits(factory);
+ // Woodstox ignores the JDK properties and enforces its own
default (100000) entity-count limit; lift it so the positive control parses.
+ suppressException(() -> factory.setProperty(WSTX_MAX_ENTITY_COUNT,
Long.MAX_VALUE));
Review Comment:
Fixed in
https://github.com/apache/commons-xml/pull/22/commits/3abfea554c63d0ff170b61acdf42a752b62c3857
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]