Return-Path: 
 <issues-return-15432-apmail-cxf-issues-archive=cxf.apache.org@cxf.apache.org>
Delivered-To: apmail-cxf-issues-archive@www.apache.org
Received: (qmail 24819 invoked from network); 31 Dec 2010 05:56:09 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 31 Dec 2010 05:56:09 -0000
Received: (qmail 83313 invoked by uid 500); 31 Dec 2010 05:56:09 -0000
Delivered-To: apmail-cxf-issues-archive@cxf.apache.org
Received: (qmail 83235 invoked by uid 500); 31 Dec 2010 05:56:07 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 83226 invoked by uid 99); 31 Dec 2010 05:56:06 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Dec 2010 05:56:06 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Dec 2010 05:56:05 +0000
Received: from thor (localhost [127.0.0.1])
	by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id oBV5tjN1011849
	for <issues@cxf.apache.org>; Fri, 31 Dec 2010 05:55:45 GMT
Message-ID: <29127733.78981293774945623.JavaMail.jira@thor>
Date: Fri, 31 Dec 2010 00:55:45 -0500 (EST)
From: "Freeman Fang (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Subject: [jira] Resolved: (CXF-3223) introduce a threshold system property
 for staxutils to avoid parsing message with unreasonable inner element
 level
In-Reply-To: <30542170.67161293676786359.JavaMail.jira@thor>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/CXF-3223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Freeman Fang resolved CXF-3223.
-------------------------------

    Resolution: Fixed

commit fix
http://svn.apache.org/viewvc?rev=1053815&view=rev for trunk
http://svn.apache.org/viewvc?rev=1053831&view=rev for 2.3 branch

> introduce a threshold system property for staxutils to avoid parsing message with unreasonable inner element level 
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-3223
>                 URL: https://issues.apache.org/jira/browse/CXF-3223
>             Project: CXF
>          Issue Type: Improvement
>            Reporter: Freeman Fang
>            Assignee: Freeman Fang
>             Fix For: 2.3.2, 2.4
>
>
> if the incoming message like
> <soap:envelope><soap:body><a1><a2>...<an></an>...</a2</a2></soap:body></soap:envelope>
> "n" here could be very huge, then it will take long time(a 500k size message with only element tag but no real content will take minutes) for staxutils to parse this message. In some case, this kind of message with unreasonable inner element level should be considered as vulnerability, so we need introduce inner element level threshold property for staxutils, so that we get chance that if it reach the threshold, just throw exception and stop parsing, this way ensure release resource soon in case of vulnerability.
> The default value of this property should be -1 which means no inner element limit, for backward compatible.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.