-
Bug
-
Resolution: Unresolved
-
P3
-
25
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
The change introduced in https://bugs.openjdk.org/browse/JDK-8343006 reduced the limits for entity expansion when parsing XML. These limits have been set way too low! A large number of completely trivlal files in moderately complex namespaces like SVG are now failing to parse with Java unless I override the system limits
REGRESSION : Last worked in version 21.0.8
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
A specific example is parsing this 15-line SVG "ViewBox.svg" using the DTD "svg11-flat.dtd"
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected result is that XML parsing succeeds without error; this was the case prior to Java 24. And it should succeed without me having to adjust JDK limits.
The default JVM limits should be high enough that they block obviously malicious use, but general cases pass. It should always, *always* err on the side of permissiveness - it's a very bad experience if things that worked before suddenly start failing on upgrading to Java 24.
The referenced issue 8343006 reduced some of the thresholds have been reduced to 1.5% of their former value, and the justification for this is... unspecified. There is nothing in that bug saying the current limits are too high or what problem they were causing, just that limits need revising.
ACTUAL -
Exception in thread "main" org.xml.sax.SAXParseException; lineNumber: 4; columnNumber: 28; JAXP00010003: The length of entity "%SVG.Presentation.attrib" is "15,002" that exceeds the "15,000" limit set by "jdk.xml.maxParameterEntitySizeLimit".
---------- BEGIN SOURCE ----------
import org.xml.sax.*;
import org.xml.sax.helpers.*;
import javax.xml.parsers.*;
import java.io.*;
public class Test {
public static void main(final String[] args) throws Exception {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser parser = factory.newSAXParser();
parser.parse(new File(args[0]), new DefaultHandler() {
@Override public InputSource resolveEntity(String pub, String sys) throws IOException {
return new InputSource(new FileInputStream(args[1]));
}
});
}
}
---------- END SOURCE ----------
The change introduced in https://bugs.openjdk.org/browse/JDK-8343006 reduced the limits for entity expansion when parsing XML. These limits have been set way too low! A large number of completely trivlal files in moderately complex namespaces like SVG are now failing to parse with Java unless I override the system limits
REGRESSION : Last worked in version 21.0.8
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
A specific example is parsing this 15-line SVG "ViewBox.svg" using the DTD "svg11-flat.dtd"
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected result is that XML parsing succeeds without error; this was the case prior to Java 24. And it should succeed without me having to adjust JDK limits.
The default JVM limits should be high enough that they block obviously malicious use, but general cases pass. It should always, *always* err on the side of permissiveness - it's a very bad experience if things that worked before suddenly start failing on upgrading to Java 24.
The referenced issue 8343006 reduced some of the thresholds have been reduced to 1.5% of their former value, and the justification for this is... unspecified. There is nothing in that bug saying the current limits are too high or what problem they were causing, just that limits need revising.
ACTUAL -
Exception in thread "main" org.xml.sax.SAXParseException; lineNumber: 4; columnNumber: 28; JAXP00010003: The length of entity "%SVG.Presentation.attrib" is "15,002" that exceeds the "15,000" limit set by "jdk.xml.maxParameterEntitySizeLimit".
---------- BEGIN SOURCE ----------
import org.xml.sax.*;
import org.xml.sax.helpers.*;
import javax.xml.parsers.*;
import java.io.*;
public class Test {
public static void main(final String[] args) throws Exception {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser parser = factory.newSAXParser();
parser.parse(new File(args[0]), new DefaultHandler() {
@Override public InputSource resolveEntity(String pub, String sys) throws IOException {
return new InputSource(new FileInputStream(args[1]));
}
});
}
}
---------- END SOURCE ----------
- relates to
-
JDK-8343006 Adjust JAXP limits
-
- Closed
-