[TIKA-2731] Unecessary call to System.getProperties() in XMLReaderUtils - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.19
Fix Version/s: 1.19.1
Component/s: core
Labels:
None

Description

As part of the changes introduced in 1.19 determineMaxEntityExpansions needs to read the jdk.xml.entityExpansionLimit System Property in order to overwrite the default value of 20, if it is set.
This is however by reading all System Properties with System.getProperties() and attempting to find the relevant key in the properties Object. The issue with this approach is that getProperties() requires

java.util.PropertyPermission "*", "read,write"

which is overly permissive.

A more sane approach, following the least privilege design principal would be to use System.getProperty() for the specific property that only requires

java.util.PropertyPermission "jdk.xml.entityExpansionLimit", "read"

Attachments

Issue Links

links to

GitHub Pull Request #250

Activity

People

Assignee:: Tim Allison

Reporter:: Ioannis Kakavas

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 21/Sep/18 13:39

Updated:: 12/Oct/18 16:45

Resolved:: 21/Sep/18 20:44