Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8368902

New JAXP limits in Java 24 are are far too low

XMLWordPrintable

    • 24
    • generic
    • generic

      A DESCRIPTION OF THE PROBLEM :
      The change introduced in https://bugs.openjdk.org/browse/JDK-8343006 reduced the limits for entity expansion when parsing XML. These limits have been set way too low! A large number of completely trivlal files in moderately complex namespaces like SVG are now failing to parse with Java unless I override the system limits


      REGRESSION : Last worked in version 21.0.8

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      A specific example is parsing this 15-line SVG "ViewBox.svg" using the DTD "svg11-flat.dtd"

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Expected result is that XML parsing succeeds without error; this was the case prior to Java 24. And it should succeed without me having to adjust JDK limits.

      The default JVM limits should be high enough that they block obviously malicious use, but general cases pass. It should always, *always* err on the side of permissiveness - it's a very bad experience if things that worked before suddenly start failing on upgrading to Java 24.

      The referenced issue 8343006 reduced some of the thresholds have been reduced to 1.5% of their former value, and the justification for this is... unspecified. There is nothing in that bug saying the current limits are too high or what problem they were causing, just that limits need revising.

      ACTUAL -
      Exception in thread "main" org.xml.sax.SAXParseException; lineNumber: 4; columnNumber: 28; JAXP00010003: The length of entity "%SVG.Presentation.attrib" is "15,002" that exceeds the "15,000" limit set by "jdk.xml.maxParameterEntitySizeLimit".

      ---------- BEGIN SOURCE ----------
      import org.xml.sax.*;
      import org.xml.sax.helpers.*;
      import javax.xml.parsers.*;
      import java.io.*;

      public class Test {
          public static void main(final String[] args) throws Exception {
              SAXParserFactory factory = SAXParserFactory.newInstance();
              SAXParser parser = factory.newSAXParser();
              parser.parse(new File(args[0]), new DefaultHandler() {
                  @Override public InputSource resolveEntity(String pub, String sys) throws IOException {
                      return new InputSource(new FileInputStream(args[1]));
                  }
              });
          }
      }
      ---------- END SOURCE ----------

        1. svg11-flat.dtd
          181 kB
          Patricia Tavares
        2. ViewBox.svg
          1 kB
          Patricia Tavares
        3. Test.java
          0.6 kB
          Patricia Tavares

            joehw Joe Wang
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: