Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8028111

XML readers share the same entity expansion counter



    • b124
    • Verified



        Issue described here:
        Oct 23, 2013 11:07 PM by Borislav.Andruschuk
        After upgrading to 1.7.0_45 we have noticed that StAX XMLInputFactory started throwing an exception on reader creation for our simple XML messages. After some investigation, we found that all XML readers share the same XMLSecurityManager and the same XMLLimitAnalyzer with its aggregated total entity expansion counter. It is my understanding that the counter is supposed to be local per reader and not shared across all of them.
        The default entity expansion limit is 64000 and if XMLInputFactory tries to create more than 64000 readers It fails because XMLLimitanalyzer total counter is accumulated and at some point exceeds the limit.
        OS version:
        I assume It should be related to all OS versions, checked only MacOS and RHEL
        Development Kit or Runtime version:

        java version "1.7.0_45"
        Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
        Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)
        Regression information:

        Test case defined below works on prior JDK versions to 1.7.0_45

        Steps to Reproduce:

        1. create XMLInputFactory
        XMLInputFactory factory = XMLInputFactory.newInstance();
        2. create XMLEventReader:
        3. repeat step 2 64001 times (default entity expansion limit is 64000)
        Expected Result:

        XMLInputFactory should be able to create as many XMLReaders as requested
        Actual Result:

        JAXP00010001 error

        Error Message(s):
        Exception in thread "main" javax.xml.stream.XMLStreamException: ParseError at [row,col]:[1,1]
        Message: JAXP00010001: The parser has encountered more than "64000" entity expansions in this document; this is the limit imposed by the JDK.
        at com.sun.org.apache.xerces.internal.impl.XMLStreamReaderImpl.setInputSource(XMLStreamReaderImpl.java:219)
        at com.sun.org.apache.xerces.internal.impl.XMLStreamReaderImpl.<init>(XMLStreamReaderImpl.java:189)
        at com.sun.xml.internal.stream.XMLInputFactoryImpl.getXMLStreamReaderImpl(XMLInputFactoryImpl.java:277)
        at com.sun.xml.internal.stream.XMLInputFactoryImpl.createXMLStreamReader(XMLInputFactoryImpl.java:129)
        at com.sun.xml.internal.stream.XMLInputFactoryImpl.createXMLEventReader(XMLInputFactoryImpl.java:78)
        at Main.main(Main.java:38)
        Source code for an executable test case:

        import java.io.ByteArrayInputStream;
        import javax.xml.stream.XMLInputFactory;
        public class Main {
            public static void main(String[] args) throws Exception {
                String xml = "<?xml version=\"1.0\"?><test></test>";
                XMLInputFactory factory = XMLInputFactory.newInstance();
                for (int i = 0; i < 64001; i++) {
                    ByteArrayInputStream stream = new ByteArrayInputStream(xml.getBytes());
        The workaround is to disable FPS or entity expansion limit (be careful now your code can be vulnerable to denial of service attack, see replies on Bug ID: JDK-4843787 org.xml.sax.SAXException was thrown when parsing large file )
        - set system property jdk.xml.entityExpansionLimit to 0
        - disable FPS in XMLSecurityManager for XMLInputFactory:
                XMLInputFactory factory = XMLInputFactory.newInstance();
                XMLSecurityManager securityManager = new XMLSecurityManager(false);
                factory.setProperty("http://apache.org/xml/properties/security-manager", securityManager);


          Issue Links



                joehw Joe Wang
                rcalnan Roger Calnan
                0 Vote for this issue
                9 Start watching this issue