[Simple-support] Prevent XML Bombs in simpleframework
Brought to you by:
niallg
Menu
▾
▴
[Simple-support] Prevent XML Bombs in simpleframework
|
From: Elena S. <ele...@gm...> - 2015-03-22 10:55:57
|
Hello,
I have, for example, the following xml (containing a XML bomb):
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2
"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3
"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4
"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5
"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6
"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7
"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8
"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9
"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<child>
<firstname>&lol9;</firstname>
<lastname>Doe</lastname></child>
When I try to parse it using simpleframework:
Persister persister = new Persister();
File source = new File ("test/Child.xml");
try {
Child child = persister.read(Child.class, source);
} catch(Exception e) {
// log
}
An OutOfMemoryError is thrown because it is trying to expand the entities.
How can I block the expansion of the entities in simpleframework?
Thank you very much!
E.
|
