JDK-6315411 : Default value of the Entity Expansion Limit
  • Type: Enhancement
  • Component: xml
  • Sub-Component: jaxp
  • Affected Version: 5.0u55,6u65,7u45,8
  • Priority: P4
  • Status: Resolved
  • Resolution: Won't Fix
  • OS: windows_2000
  • CPU: x86
  • Submitted: 2005-08-24
  • Updated: 2024-04-12
  • Resolved: 2015-10-13
Related Reports
Relates :  
JDK-8028111 - XML readers share the same entity expansion counter
Description
A DESCRIPTION OF THE REQUEST :
While the reason behind entityExpansionLimit seems valid (DoS) I am not sure if the solution has been rationally exposed.

- The rational behind using 64,000 as the default value seems questionable to begin with.

- Further, there should be a semantic for specifying infinite or no limit as the value.

- Currently, other than system properties, there is no good way of modifying the value at a parser level for SAX parsing.

- Also, the entity expansion counting design should probably be revised.
All entity usage are counted currently, while to me, it makes sense to do that only for UNIQUE entities used in the XML. Thus, if I just use   64,001 times in an XML, I would end up getting a SAXParseException for entity expansion. If I understand it correctly, all   entities should have mapped to a single hashmap/hashtable value here. Not sure then, why all their usages are accounted for. Can duplicate entity usages in a XML as above really contribute to DoS ?

Thanks

JUSTIFICATION :
Quite a few people have working systems using older jre and xalan/xerces. Its not unlikely that they have encoded XMLs with several system entities (  , > etc...).
For such cases, it quite tedious to have to deal with entity expansion limit problems while porting to 1.4.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
As above it would be good if we

[1] evaluate the reason behind using 64K as the default

[2] provide a semantic for specifying "no limit" for entity expansion limit.

[3] better support for changing limit value for SAX parsers.

[4] evaluate the design/implementation of entity expansion counting -> does the counter need to increment for  duplicate entity usages ?
ACTUAL -
--- described above ---

---------- BEGIN SOURCE ----------
--- any parsing code should help see the problem. the test xml needs to have more than 64000 entities. ---
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
--- set the entityExpansionLimit to a high value ---
Comments
No need for this enhancement request anymore after the works around all of the jaxp limits.
13-10-2015
P3 to P4: not critical since we are fixing the issue through JDK-8028111.
27-11-2013
The proposed enhancement has been resolved through JDK-8014530 except [1] 64K as the default. Refer also to Processing Limits: http://docs.oracle.com/javase/tutorial/jaxp/limits/index.html I would like us to consider increasing the limit.
13-11-2013
EVALUATION meeting these needs will require public API and possible compatibility changes so this is being targeted to JAXP.next.
10-12-2005