https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
Mark Thomas changed:
What|Removed |Added
Status|NEEDINFO|RESOLVED
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
--- Comment #10 from Christopher Schultz ---
Modifying our existing (copy of) DTD is definitely an option. None of the J*EE
DTDs are parsable without entity-expansion, either, though. I haven't
pulled-down the entire tree of schemas recently,
https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
--- Comment #9 from Mark Thomas ---
When I say provide, I mean replace the version Tomcat currently ships with.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
--- Comment #8 from Mark Thomas ---
Could we provide a DTD where those entities have already been expanded? We
could add a comment in the defined types section to explain what was done and
why.
--
You are receiving this mail because:
You are
https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
Christopher Schultz changed:
What|Removed |Added
Status|NEW |NEEDINFO
--- Comment #7 from
https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
--- Comment #6 from Christopher Schultz ---
I was able to work around this by adding the following line of code to
MbeansDescriptorsDigesterSource.createDigester() method:
https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
--- Comment #5 from Christopher Schultz ---
I was able to reproduce this on Tomcat 8.5.56 using:
$ export CATALINA_OPTS=-Djdk.xml.entityExpansionLimit=1
$ $CATALINA_HOME/bin/catalina.sh run
I needed to raise the limit to 17 in order to get
https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
--- Comment #4 from Christopher Schultz ---
(In reply to Christopher Schultz from comment #3)
> Something seems fishy, here.
Oh, duh. Tomcat supplies its own copy of mbeans-descriptors.dtd which is used.
And it's got a handful of entities
https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
--- Comment #3 from Christopher Schultz ---
Odd. I'm unsure why you'd need an entity expansion depth of 20 to get it to
work, especially since
http://jakarta.apache.org/commons/dtds/mbeans-descriptors.dtd ultimately leads
to a 404 response
https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
--- Comment #2 from Valentin ---
We're setting the entityExpansionLimit in a jaxp.properties file under
'/jre/conf/'.
Our product relies on security and the code scanners of our clients require us
to use the value 1, which with the current
https://bz.apache.org/bugzilla/show_bug.cgi?id=64541
--- Comment #1 from Christopher Schultz ---
Interesting.
How are you setting the limit for the JAXP entity expansion... via the system
property "jdk.xml.entityExpansionLimit"?
What's the security justification for the setting of "1" and not,
11 matches
Mail list logo
