[
https://issues.apache.org/jira/browse/CXF-3359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Kulp updated CXF-3359:
-----------------------------
Fix Version/s: 2.3.4
> introduce a threshold system property for staxutils to avoid parsing message
> with unreasonable element count
> ------------------------------------------------------------------------------------------------------------
>
> Key: CXF-3359
> URL: https://issues.apache.org/jira/browse/CXF-3359
> Project: CXF
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Freeman Fang
> Fix For: 2.3.4
>
>
> if the incoming message like
> <soap:envelope><soap:body><a1/><a2/>...<an/></soap:body></soap:envelope>
> "n" here could be very huge, then it will take long time(a 500k size message
> with only element tag but no real content will take minutes) for staxutils to
> parse this message. In case of dispatch/provider mode, this kind of message
> with unreasonable element count should be considered as potential
> vulnerability, so we need introduce element count threshold property for
> staxutils, so that we get chance that if it reach the threshold, just throw
> exception and stop parsing, this way ensure release resource soon in case of
> vulnerability.
> The default value of this property should be -1 which means no element count
> limitation, for backward compatible.
> This issue is related to CXF-3223, which adding a threshold for the element
> level, but this one is for the element count
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
