Author: fanningpj Date: Sat Aug 11 11:03:20 2018 New Revision: 1837864 URL: http://svn.apache.org/viewvc?rev=1837864&view=rev Log: reduce entity expansion limit
Modified: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java Modified: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java?rev=1837864&r1=1837863&r2=1837864&view=diff ============================================================================== --- xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java (original) +++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java Sat Aug 11 11:03:20 2018 @@ -33,6 +33,11 @@ import org.xml.sax.XMLReader; * Provides handy methods for working with SAX parsers and readers */ public final class SAXHelper { + public static final String PROPERTY_ENTITY_EXPANSION_LIMIT = "xmlbeans.sax.entity.expansion.limit"; + public static final int DEFAULT_ENTITY_EXPANSION_LIMIT = 10; + private static final int ENTITY_EXPANSION_LIMIT = Integer.getInteger(PROPERTY_ENTITY_EXPANSION_LIMIT, DEFAULT_ENTITY_EXPANSION_LIMIT); + private static final String XML_PROPERTY_ENTITY_EXPANSION_LIMIT = "http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit"; + private static final String XML_PROPERTY_SECURITY_MANAGER = "http://apache.org/xml/properties/security-manager"; private static final XBLogger logger = XBLogFactory.getLogger(SAXHelper.class); private static long lastLog; @@ -77,14 +82,14 @@ public final class SAXHelper { private static void trySetXercesSecurityManager(XMLReader xmlReader) { // Try built-in JVM one first, standalone if not for (String securityManagerClassName : new String[] { - "com.sun.org.apache.xerces.internal.util.SecurityManager", + //"com.sun.org.apache.xerces.internal.util.SecurityManager", "org.apache.xerces.util.SecurityManager" }) { try { Object mgr = Class.forName(securityManagerClassName).newInstance(); Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE); - setLimit.invoke(mgr, 4096); - xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr); + setLimit.invoke(mgr, ENTITY_EXPANSION_LIMIT); + xmlReader.setProperty(XML_PROPERTY_SECURITY_MANAGER, mgr); // Stop once one can be setup without error return; } catch (Throwable e) { // NOSONAR - also catch things like NoClassDefError here @@ -95,5 +100,16 @@ public final class SAXHelper { } } } + + // separate old version of Xerces not found => use the builtin way of setting the property + try { + xmlReader.setProperty(XML_PROPERTY_ENTITY_EXPANSION_LIMIT, ENTITY_EXPANSION_LIMIT); + } catch (SAXException e) { // NOSONAR - also catch things like NoClassDefError here + // throttle the log somewhat as it can spam the log otherwise + if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) { + logger.log(XBLogger.WARN, "SAX Security Manager could not be setup [log suppressed for 5 minutes]", e); + lastLog = System.currentTimeMillis(); + } + } } } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org