Java version doesn't protect against billion laughs attack #586
Comments
|
Thanks for reporting. I got OutOfMemoryError while parsing above document. Fix will come soon. |
|
I added security manager in rev. 3ace9dc. The behavior between Apache Xerces and libxml2 is different. Xerces processes entity reference while libxml2 doesn't. I'm not sure whether it is possible to coincide both behavior or not. However, I didn't get OutOfMemoryError anymore after the change. Perhaps, this means pure Java version can avoid jeopardizing system by DOS attack. |
|
thanks @yokolet! should security manager be disabled if HUGE option is given? |
|
Ah, that's a good idea. Perf seems to be got worse by that security manager. Huge document parsing has been slow on pure Java, so switching off feature will work, I think. But, probably, a new option would be good. Not to confuse users. |
|
Naive question: the above fix applies for the JVM version.. what about MRI, does the same issue surface there? |
|
As far as I tested, MRI version doesn't have the problem. Probably, libxml has such security manager by default. But, Apache Xerces sets off by default. |
|
Awesome, thanks @yokolet! |
|
Closing this issue.This was fixed at some point. There was a regression that I caused but there's a patch that @flavorjones is working to merge in. |
parsing the XML below with ruby, works as expected, however parsing this with JRuby and nokogiri java results in OutOfMemoryError. It seems like java version should set the security-manager property, see http://xerces.apache.org/xerces2-j/properties.html
`
]>
&lol9;`
The text was updated successfully, but these errors were encountered: