reduce entity expansion limit
git-svn-id: https://svn.apache.org/repos/asf/xmlbeans/trunk@1837864 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java b/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
index 71bed2d..59fd682 100644
--- a/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
+++ b/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
@@ -33,6 +33,11 @@
* Provides handy methods for working with SAX parsers and readers
*/
public final class SAXHelper {
+ public static final String PROPERTY_ENTITY_EXPANSION_LIMIT = "xmlbeans.sax.entity.expansion.limit";
+ public static final int DEFAULT_ENTITY_EXPANSION_LIMIT = 10;
+ private static final int ENTITY_EXPANSION_LIMIT = Integer.getInteger(PROPERTY_ENTITY_EXPANSION_LIMIT, DEFAULT_ENTITY_EXPANSION_LIMIT);
+ private static final String XML_PROPERTY_ENTITY_EXPANSION_LIMIT = "http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";
+ private static final String XML_PROPERTY_SECURITY_MANAGER = "http://apache.org/xml/properties/security-manager";
private static final XBLogger logger = XBLogFactory.getLogger(SAXHelper.class);
private static long lastLog;
@@ -77,14 +82,14 @@
private static void trySetXercesSecurityManager(XMLReader xmlReader) {
// Try built-in JVM one first, standalone if not
for (String securityManagerClassName : new String[] {
- "com.sun.org.apache.xerces.internal.util.SecurityManager",
+ //"com.sun.org.apache.xerces.internal.util.SecurityManager",
"org.apache.xerces.util.SecurityManager"
}) {
try {
Object mgr = Class.forName(securityManagerClassName).newInstance();
Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
- setLimit.invoke(mgr, 4096);
- xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr);
+ setLimit.invoke(mgr, ENTITY_EXPANSION_LIMIT);
+ xmlReader.setProperty(XML_PROPERTY_SECURITY_MANAGER, mgr);
// Stop once one can be setup without error
return;
} catch (Throwable e) { // NOSONAR - also catch things like NoClassDefError here
@@ -95,5 +100,16 @@
}
}
}
+
+ // separate old version of Xerces not found => use the builtin way of setting the property
+ try {
+ xmlReader.setProperty(XML_PROPERTY_ENTITY_EXPANSION_LIMIT, ENTITY_EXPANSION_LIMIT);
+ } catch (SAXException e) { // NOSONAR - also catch things like NoClassDefError here
+ // throttle the log somewhat as it can spam the log otherwise
+ if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) {
+ logger.log(XBLogger.WARN, "SAX Security Manager could not be setup [log suppressed for 5 minutes]", e);
+ lastLog = System.currentTimeMillis();
+ }
+ }
}
}