cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Freeman Fang (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (CXF-3223) introduce a threshold system property for staxutils to avoid parsing message with unreasonable inner element level
Date Fri, 31 Dec 2010 05:55:45 GMT

     [ https://issues.apache.org/jira/browse/CXF-3223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Freeman Fang resolved CXF-3223.
-------------------------------

    Resolution: Fixed

commit fix
http://svn.apache.org/viewvc?rev=1053815&view=rev for trunk
http://svn.apache.org/viewvc?rev=1053831&view=rev for 2.3 branch

> introduce a threshold system property for staxutils to avoid parsing message with unreasonable
inner element level 
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-3223
>                 URL: https://issues.apache.org/jira/browse/CXF-3223
>             Project: CXF
>          Issue Type: Improvement
>            Reporter: Freeman Fang
>            Assignee: Freeman Fang
>             Fix For: 2.3.2, 2.4
>
>
> if the incoming message like
> <soap:envelope><soap:body><a1><a2>...<an></an>...</a2</a2></soap:body></soap:envelope>
> "n" here could be very huge, then it will take long time(a 500k size message with only
element tag but no real content will take minutes) for staxutils to parse this message. In
some case, this kind of message with unreasonable inner element level should be considered
as vulnerability, so we need introduce inner element level threshold property for staxutils,
so that we get chance that if it reach the threshold, just throw exception and stop parsing,
this way ensure release resource soon in case of vulnerability.
> The default value of this property should be -1 which means no inner element limit, for
backward compatible.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message