-
Bug
-
Resolution: Fixed
-
P2
-
5.0u55, 6u65, 7u45, 8
-
Reproduced on Mac and RHEL
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8032336 | 9 | Joe Wang | P2 | Closed | Fixed | b02 |
JDK-8032124 | 8u20 | Joe Wang | P2 | Closed | Fixed | b01 |
JDK-8039785 | emb-8u26 | Joe Wang | P2 | Resolved | Fixed | master |
JDK-8037759 | emb-8u6 | Joe Wang | P2 | Closed | Fixed | b10 |
JDK-8033825 | 7u80 | Sean Coffey | P2 | Resolved | Fixed | b01 |
JDK-8031843 | 7u60 | Sean Coffey | P2 | Resolved | Fixed | b03 |
JDK-8028703 | 7u55 | Sean Coffey | P2 | Resolved | Fixed | b01 |
JDK-8029404 | 7u51 | Sean Coffey | P2 | Closed | Fixed | b10 |
JDK-8028704 | 6u75 | Sean Coffey | P2 | Resolved | Fixed | b01 |
JDK-8029402 | 6u71 | Sean Coffey | P2 | Closed | Fixed | b10 |
JDK-8028705 | 5.0u65 | Sean Coffey | P2 | Resolved | Fixed | b01 |
JDK-8029403 | 5.0u61 | Sean Coffey | P2 | Closed | Fixed | b09 |
https://forums.oracle.com/thread/2594170
Oct 23, 2013 11:07 PM by Borislav.Andruschuk
Description:
After upgrading to 1.7.0_45 we have noticed that StAX XMLInputFactory started throwing an exception on reader creation for our simple XML messages. After some investigation, we found that all XML readers share the same XMLSecurityManager and the same XMLLimitAnalyzer with its aggregated total entity expansion counter. It is my understanding that the counter is supposed to be local per reader and not shared across all of them.
The default entity expansion limit is 64000 and if XMLInputFactory tries to create more than 64000 readers It fails because XMLLimitanalyzer total counter is accumulated and at some point exceeds the limit.
OS version:
I assume It should be related to all OS versions, checked only MacOS and RHEL
Development Kit or Runtime version:
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)
Regression information:
Test case defined below works on prior JDK versions to 1.7.0_45
Steps to Reproduce:
1. create XMLInputFactory
XMLInputFactory factory = XMLInputFactory.newInstance();
2. create XMLEventReader:
factory.createXMLEventReader(stream);
3. repeat step 2 64001 times (default entity expansion limit is 64000)
Expected Result:
XMLInputFactory should be able to create as many XMLReaders as requested
Actual Result:
JAXP00010001 error
Error Message(s):
Exception in thread "main" javax.xml.stream.XMLStreamException: ParseError at [row,col]:[1,1]
Message: JAXP00010001: The parser has encountered more than "64000" entity expansions in this document; this is the limit imposed by the JDK.
at com.sun.org.apache.xerces.internal.impl.XMLStreamReaderImpl.setInputSource(XMLStreamReaderImpl.java:219)
at com.sun.org.apache.xerces.internal.impl.XMLStreamReaderImpl.<init>(XMLStreamReaderImpl.java:189)
at com.sun.xml.internal.stream.XMLInputFactoryImpl.getXMLStreamReaderImpl(XMLInputFactoryImpl.java:277)
at com.sun.xml.internal.stream.XMLInputFactoryImpl.createXMLStreamReader(XMLInputFactoryImpl.java:129)
at com.sun.xml.internal.stream.XMLInputFactoryImpl.createXMLEventReader(XMLInputFactoryImpl.java:78)
at Main.main(Main.java:38)
Source code for an executable test case:
import java.io.ByteArrayInputStream;
import javax.xml.stream.XMLInputFactory;
public class Main {
public static void main(String[] args) throws Exception {
String xml = "<?xml version=\"1.0\"?><test></test>";
XMLInputFactory factory = XMLInputFactory.newInstance();
for (int i = 0; i < 64001; i++) {
ByteArrayInputStream stream = new ByteArrayInputStream(xml.getBytes());
factory.createXMLEventReader(stream);
}
}
}
Workaround:
The workaround is to disable FPS or entity expansion limit (be careful now your code can be vulnerable to denial of service attack, see replies on Bug ID:
- set system property jdk.xml.entityExpansionLimit to 0
- disable FPS in XMLSecurityManager for XMLInputFactory:
XMLInputFactory factory = XMLInputFactory.newInstance();
XMLSecurityManager securityManager = new XMLSecurityManager(false);
factory.setProperty("http://apache.org/xml/properties/security-manager", securityManager);
- backported by
-
JDK-8028703 XML readers share the same entity expansion counter
-
- Resolved
-
-
JDK-8028704 XML readers share the same entity expansion counter
-
- Resolved
-
-
JDK-8028705 XML readers share the same entity expansion counter
-
- Resolved
-
-
JDK-8031843 XML readers share the same entity expansion counter
-
- Resolved
-
-
JDK-8033825 XML readers share the same entity expansion counter
-
- Resolved
-
-
JDK-8039785 XML readers share the same entity expansion counter
-
- Resolved
-
-
JDK-8029402 XML readers share the same entity expansion counter
-
- Closed
-
-
JDK-8029403 XML readers share the same entity expansion counter
-
- Closed
-
-
JDK-8029404 XML readers share the same entity expansion counter
-
- Closed
-
-
JDK-8032124 XML readers share the same entity expansion counter
-
- Closed
-
-
JDK-8032336 XML readers share the same entity expansion counter
-
- Closed
-
-
JDK-8037759 XML readers share the same entity expansion counter
-
- Closed
-
- relates to
-
JDK-8029038 Revise fix for XML readers share the same entity expansion counter
-
- Closed
-
-
JDK-6315411 Default value of the Entity Expansion Limit
-
- Closed
-