introduce a threshold system property for staxutils to avoid parsing message
with unreasonable inner element level
-------------------------------------------------------------------------------------------------------------------
Key: CXF-3223
URL: https://issues.apache.org/jira/browse/CXF-3223
Project: CXF
Issue Type: Improvement
Reporter: Freeman Fang
Assignee: Freeman Fang
Fix For: 2.3.2, 2.4
if the incoming message like
<soap:envelope><soap:body><a1><a2>...<an></an>...</a2</a2></soap:body></soap:envelope>
"n" here could be very huge, then it will take long time(a 500k size message
with only element tag but no real content will take minutes) for staxutils to
parse this message. In some case, this kind of message with unreasonable inner
element level should be considered as vulnerability, so we need introduce inner
element level threshold property for staxutils, so that we get chance that if
it reach the threshold, just throw exception and stop parsing, this way ensure
release resource soon in case of vulnerability.
The default value of this property should be -1 which means no inner element
limit, for backward compatible.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
