Supplying document without content-type headers causes entire stream to be
buffered in memory, even when using SAX API
----------------------------------------------------------------------------------------------------------------------
Key: XERCESJ-1398
URL: https://issues.apache.org/jira/browse/XERCESJ-1398
Project: Xerces2-J
Issue Type: Bug
Components: SAX
Affects Versions: 2.9.1
Environment: Debian Linux, Sun JDK 1.5.0_20
Reporter: Karl Wright
Fix For: 2.9.1
If the parser needs to autodetect the encoding of the input stream, it wraps
the input stream using the RewindableInputStream class within XMLEntityManager.
But this class buffers everything that is read from the stream, even after the
autodetection is complete (and no possibility of rewind being used exists
anymore). It is therefore trivial to submit XML to xerces2-j which causes an
"OutOfMemoryError" exception to be thrown, which could lead to a denial of
service under appropriate conditions.
The fix I created for this involved adding a method "stopBuffering()" to the
RewindableInputStream class, which shuts off further buffering by that class.
I call this method when the encoding has been decided upon (i.e. right before
createReader is called, everywhere).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
