cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Freeman Fang (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-3223) introduce a threshold system property for staxutils to avoid parsing message with unreasonable inner element level
Date Thu, 30 Dec 2010 02:39:46 GMT
introduce a threshold system property for staxutils to avoid parsing message with unreasonable
inner element level 
-------------------------------------------------------------------------------------------------------------------

                 Key: CXF-3223
                 URL: https://issues.apache.org/jira/browse/CXF-3223
             Project: CXF
          Issue Type: Improvement
            Reporter: Freeman Fang
            Assignee: Freeman Fang
             Fix For: 2.3.2, 2.4


if the incoming message like
<soap:envelope><soap:body><a1><a2>...<an></an>...</a2</a2></soap:body></soap:envelope>
"n" here could be very huge, then it will take long time(a 500k size message with only element
tag but no real content will take minutes) for staxutils to parse this message. In some case,
this kind of message with unreasonable inner element level should be considered as vulnerability,
so we need introduce inner element level threshold property for staxutils, so that we get
chance that if it reach the threshold, just throw exception and stop parsing, this way ensure
release resource soon in case of vulnerability.

The default value of this property should be -1 which means no inner element limit, for backward
compatible.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message