I'm attaching a patch. (I looked for a way to attach a patch in Jira but couldn't find one.)
Feel free to request revisions. On Fri, Aug 8, 2014 at 1:51 PM, Elliotte Rusty Harold <[email protected]> wrote: > > OK this is weird. Apparently everything works if I set > > System.setProperty("jdk.xml.entityExpansionLimit", "0"); > > > and otherwise it doesn't. Somehow that triggers the use of the > SecureProcessingConfiguration. Can anyone explain why? > > > > > > > On Fri, Aug 8, 2014 at 12:55 PM, Elliotte Rusty Harold <[email protected] > > wrote: > >> I can make SecureProcessingConfiguration recognize the SAX property >> http://apache.org/xml/properties/total-entity-size-limit (i.e. you can >> get it and set it.) >> >> However there's something I'm missing in terms of making it actually pay >> attention to it. >> >> I've added this code to checkEntitySizeLimits: >> >> // If a specific value is set on the reader use that; otherwise >> use system value >> int totalEntitySizeProperty = ((Number) >> getProperty(TOTAL_ENTITY_SIZE_PROPERTY)).intValue(); >> int totalEntitySizeLimit = totalEntitySizeProperty > 0 ? >> totalEntitySizeProperty >> : TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE; >> >> >> However my tests and the debugger tell me that nothing is ever >> calling checkEntitySizeLimits. So there's probably something I don't >> understand about setting up the parser. What I'm doing is this: >> >> public class TotalEntitySizeTest extends TestCase { >> >> private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME >> = "http://apache.org/xml/properties/total-entity-size-limit";; >> >> public void testSAXTotalEntitySizeLimitSystemProperty() throws >> Exception { >> XMLReader reader = new SecureParser(); >> reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME, >> Integer.valueOf(10000)); >> assertEquals(Integer.valueOf(10000), >> reader.getProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME)); >> >> try { >> reader.parse(new InputData("pEntitySP.xml")); >> fail("Expected SAXParseException"); >> } >> catch (SAXParseException se) { >> assertTrue(se.getMessage().indexOf("\"10,000\"") != -1); >> } >> } >> >> private static class SecureParser extends SAXParser { >> SecureParser() { >> super(new SecureProcessingConfiguration()); >> } >> } >> >> } >> >> >> It fails with a heap out of memory. Any suggestions? >> >> >> >> >> >> On Mon, Jul 28, 2014 at 10:58 AM, Michael Glavassevich < >> [email protected]> wrote: >> >>> Was planning on only adding it to SecureProcessingConfiguration. Have >>> been >>> thinking about making it the default config in the next release. >>> >>> Michael Glavassevich >>> XML Technologies and WAS Development >>> IBM Toronto Lab >>> E-mail: [email protected] >>> E-mail: [email protected] >>> >>> Elliotte Rusty Harold <[email protected]> wrote on 07/25/2014 02:30:10 >>> PM: >>> >>> > Should this property be supported by all configurations are just by >>> > the SecureProcessingConfiguration? >>> > >>> >>> > On Wed, Jul 9, 2014 at 10:46 AM, Michael Glavassevich >>> <[email protected] >>> > > wrote: >>> > Elliotte Rusty Harold <[email protected]> wrote on 07/08/2014 >>> 04:08:58 >>> > PM: >>> > >>> > > From: Elliotte Rusty Harold <[email protected]> >>> > > To: [email protected], >>> > > Date: 07/08/2014 04:09 PM >>> > > Subject: Re: totalEntitySizeLimit >>> > > >>> > > What name will be used? >>> >>> > Following naming conventions of Xerces' other properties it would >>> probably >>> > be something like: >>> > http://apache.org/xml/properties/total-entity-size-limit. Still TBD. >>> > >>> > > Any plans for when the next release is likely to drop? >>> >>> > There's no date yet. Any discussion about that would happen on this >>> > mailing list. We know we're long overdue though. >>> > >>> > > On Tue, Jul 8, 2014 at 1:11 PM, Michael Glavassevich >>> > <[email protected]> >>> > > > wrote: >>> > > There's been some work on the trunk for supporting similar function >>> but >>> > it >>> > > won't be exposed with that Oracle property name. >>> > > >>> > > Michael Glavassevich >>> > > XML Technologies and WAS Development >>> > > IBM Toronto Lab >>> > > E-mail: [email protected] >>> > > E-mail: [email protected] >>> > > >>> > > Elliotte Rusty Harold <[email protected]> wrote on 07/08/2014 >>> 12:30:07 >>> > > PM: >>> > > >>> > > > Is there any plan to implement the http://www.oracle.com/xml/jaxp/ >>> > > > properties/totalEntitySizeLimit property or equivalent in trunk >>> > Xerces? >>> > > > >>> > > > It is supported for a few months now in the patched Xerces shipped >>> > > > with the JDK 7. >>> > > > >>> > > > -- >>> > > > Elliotte Rusty Harold >>> > > > [email protected] >>> > > >>> > > --------------------------------------------------------------------- >>> > > To unsubscribe, e-mail: [email protected] >>> > > For additional commands, e-mail: [email protected] >>> > > >>> > > -- >>> > > Elliotte Rusty Harold >>> > > [email protected] >>> >>> > Thanks. >>> > >>> > Michael Glavassevich >>> > XML Technologies and WAS Development >>> > IBM Toronto Lab >>> > E-mail: [email protected] >>> > E-mail: [email protected] >>> > >>> >>> > --------------------------------------------------------------------- >>> > To unsubscribe, e-mail: [email protected] >>> > For additional commands, e-mail: [email protected] >>> >>> > >>> >>> > >>> > -- >>> > Elliotte Rusty Harold >>> > [email protected] >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> >> >> >> -- >> Elliotte Rusty Harold >> [email protected] >> > > > > -- > Elliotte Rusty Harold > [email protected] > -- Elliotte Rusty Harold [email protected]
### Eclipse Workspace Patch 1.0 #P xerces-svn Index: tests/security/TotalEntitySizeTest.java =================================================================== --- tests/security/TotalEntitySizeTest.java (revision 0) +++ tests/security/TotalEntitySizeTest.java (working copy) @@ -0,0 +1,58 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package security; + +import junit.framework.TestCase; + +import org.apache.xerces.parsers.SAXParser; +import org.apache.xerces.parsers.SecureProcessingConfiguration; +import org.xml.sax.SAXParseException; +import org.xml.sax.XMLReader; + +import jaxp.InputData; + +/** + * Tests for secure processing features. + * + * @author Elliotte Rusty Harold + * @version $Id: $ + */ +public class TotalEntitySizeTest extends TestCase { + + private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME + = "http://apache.org/xml/properties/total-entity-size-limit";; + + protected void setUp() throws Exception { + super.setUp(); + System.setProperty("jdk.xml.entityExpansionLimit", "0"); + } + + public void testSAXTotalEntitySizeLimitSystemProperty() throws Exception { + XMLReader reader = new SAXParser(new SecureProcessingConfiguration()); + reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME, Integer.valueOf(10000)); + assertEquals(Integer.valueOf(10000), reader.getProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME)); + try { + reader.parse(new InputData("pEntitySP.xml")); + fail("Expected SAXParseException"); + } + catch (SAXParseException se) { + assertTrue(se.getMessage().indexOf("\"10,000\"") != -1); + } + } + +} Index: src/org/apache/xerces/parsers/SecureProcessingConfiguration.java =================================================================== --- src/org/apache/xerces/parsers/SecureProcessingConfiguration.java (revision 1616777) +++ src/org/apache/xerces/parsers/SecureProcessingConfiguration.java (working copy) @@ -68,18 +68,11 @@ /** Property identifier: entity resolver. */ private static final String ENTITY_RESOLVER_PROPERTY = Constants.XERCES_PROPERTY_PREFIX + Constants.ENTITY_RESOLVER_PROPERTY; - - /** Feature identifier: external general entities. */ - private static final String EXTERNAL_GENERAL_ENTITIES = - Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE; - - /** Feature identifier: external parameter entities. */ - private static final String EXTERNAL_PARAMETER_ENTITIES = - Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE; + + /** Property identifier: Total Entity Size */ + private static final String TOTAL_ENTITY_SIZE_PROPERTY = + Constants.XERCES_PROPERTY_PREFIX + Constants.TOTAL_ENTITY_SIZE_LIMIT; - /** Feature identifier: load external DTD. */ - private static final String LOAD_EXTERNAL_DTD = - Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE; /** Set to true for debugging */ private static final boolean DEBUG = isDebugEnabled(); @@ -170,6 +163,10 @@ XMLGrammarPool grammarPool, XMLComponentManager parentSettings) { super(symbolTable, grammarPool, parentSettings); + + String[] additionalProperties = {TOTAL_ENTITY_SIZE_PROPERTY}; + addRecognizedProperties(additionalProperties); + fJavaSecurityManagerEnabled = (System.getSecurityManager() != null); ENTITY_EXPANSION_LIMIT_SYSTEM_VALUE = getPropertyValue(ENTITY_EXPANSION_LIMIT_PROPERTY_NAME, ENTITY_EXPANSION_LIMIT_DEFAULT_VALUE); MAX_OCCUR_LIMIT_SYSTEM_VALUE = getPropertyValue(MAX_OCCUR_LIMIT_PROPERTY_NAME, MAX_OCCUR_LIMIT_DEFAULT_VALUE); @@ -192,12 +189,22 @@ super.setProperty(ENTITY_RESOLVER_PROPERTY, fExternalEntityMonitor); } - protected void checkEntitySizeLimits(int sizeOfEntity, int delta, boolean isPE) { + protected void checkEntitySizeLimits(int sizeOfEntity, int delta, boolean isPE) { + // If a specific value is set on the reader use that; otherwise use system value + int totalEntitySizeLimit = TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE; + Number saxPropertyValue = (Number) getProperty(TOTAL_ENTITY_SIZE_PROPERTY); + if (saxPropertyValue != null) { + int totalEntitySizeProperty = saxPropertyValue.intValue(); + if (totalEntitySizeProperty > 0) { + totalEntitySizeLimit = totalEntitySizeProperty; + } + } + fTotalEntitySize += delta; - if (fTotalEntitySize > TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE) { + if (fTotalEntitySize > totalEntitySizeLimit) { fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN, "TotalEntitySizeLimitExceeded", - new Object[] {new Integer(TOTAL_ENTITY_SIZE_LIMIT_SYSTEM_VALUE)}, + new Object[] {new Integer(totalEntitySizeLimit)}, XMLErrorReporter.SEVERITY_FATAL_ERROR); } if (isPE) { @@ -796,7 +803,7 @@ final class ExternalEntityMonitor implements XMLEntityResolver { /** - * java.io.InputStream wrapper which check entity size limits. + * java.io.InputStream wrapper which checks entity size limits. */ final class InputStreamMonitor extends FilterInputStream { @@ -828,7 +835,7 @@ } /** - * java.io.Reader wrapper which check entity size limits. + * java.io.Reader wrapper which checks entity size limits. */ final class ReaderMonitor extends FilterReader { Index: tests/security/TotalEntitySizeTest.java =================================================================== --- tests/security/TotalEntitySizeTest.java (revision 0) +++ tests/security/TotalEntitySizeTest.java (working copy) @@ -0,0 +1,58 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package security; + +import junit.framework.TestCase; + +import org.apache.xerces.parsers.SAXParser; +import org.apache.xerces.parsers.SecureProcessingConfiguration; +import org.xml.sax.SAXParseException; +import org.xml.sax.XMLReader; + +import jaxp.InputData; + +/** + * Tests for secure processing features. + * + * @author Elliotte Rusty Harold + * @version $Id: $ + */ +public class TotalEntitySizeTest extends TestCase { + + private static final String TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME + = "http://apache.org/xml/properties/total-entity-size-limit";; + + protected void setUp() throws Exception { + super.setUp(); + System.setProperty("jdk.xml.entityExpansionLimit", "0"); + } + + public void testSAXTotalEntitySizeLimitSystemProperty() throws Exception { + XMLReader reader = new SAXParser(new SecureProcessingConfiguration()); + reader.setProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME, Integer.valueOf(10000)); + assertEquals(Integer.valueOf(10000), reader.getProperty(TOTAL_ENTITY_SIZE_LIMIT_PROPERTY_NAME)); + try { + reader.parse(new InputData("pEntitySP.xml")); + fail("Expected SAXParseException"); + } + catch (SAXParseException se) { + assertTrue(se.getMessage().indexOf("\"10,000\"") != -1); + } + } + +}
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
