Description
As part of the changes introduced in 1.19 determineMaxEntityExpansions needs to read the jdk.xml.entityExpansionLimit System Property in order to overwrite the default value of 20, if it is set.
This is however by reading all System Properties with System.getProperties() and attempting to find the relevant key in the properties Object. The issue with this approach is that getProperties() requires
java.util.PropertyPermission "*", "read,write"
which is overly permissive.
A more sane approach, following the least privilege design principal would be to use System.getProperty() for the specific property that only requires
java.util.PropertyPermission "jdk.xml.entityExpansionLimit", "read"
Attachments
Issue Links
- links to