[
https://issues.apache.org/jira/browse/CXF-3223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Freeman Fang resolved CXF-3223.
-------------------------------
Resolution: Fixed
commit fix
http://svn.apache.org/viewvc?rev=1053815&view=rev for trunk
http://svn.apache.org/viewvc?rev=1053831&view=rev for 2.3 branch
> introduce a threshold system property for staxutils to avoid parsing message
> with unreasonable inner element level
> -------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-3223
> URL: https://issues.apache.org/jira/browse/CXF-3223
> Project: CXF
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Freeman Fang
> Fix For: 2.3.2, 2.4
>
>
> if the incoming message like
> <soap:envelope><soap:body><a1><a2>...<an></an>...</a2</a2></soap:body></soap:envelope>
> "n" here could be very huge, then it will take long time(a 500k size message
> with only element tag but no real content will take minutes) for staxutils to
> parse this message. In some case, this kind of message with unreasonable
> inner element level should be considered as vulnerability, so we need
> introduce inner element level threshold property for staxutils, so that we
> get chance that if it reach the threshold, just throw exception and stop
> parsing, this way ensure release resource soon in case of vulnerability.
> The default value of this property should be -1 which means no inner element
> limit, for backward compatible.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
