Re: [Simple-support] Prevent XML Bombs in simpleframework
Brought to you by:
niallg
Menu
▾
▴
Re: [Simple-support] Prevent XML Bombs in simpleframework
|
From: Niall G. - Y. <Nia...@yi...> - 2015-03-22 22:52:54
|
Simple does not actually do any parsing, it delegates to either StAX, DOM, or XmlPull depending on the platform you are on. If you are on Java 1.5+ you will be using StAX so just specify the configuration required to supress this behaviour. If you are on Android you will be using XmlPull, again this requires some specific config.
From: Elena Solomon [mailto:ele...@gm...]
Sent: 22 March 2015 21:56
To: sim...@li...
Subject: [Simple-support] Prevent XML Bombs in simpleframework
Hello,
I have, for example, the following xml (containing a XML bomb):
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<child>
<firstname>&lol9;</firstname>
<lastname>Doe</lastname>
</child>
When I try to parse it using simpleframework:
Persister persister = new Persister();
File source = new File ("test/Child.xml");
try {
Child child = persister.read(Child.class, source);
} catch(Exception e) {
// log
}
An OutOfMemoryError is thrown because it is trying to expand the entities.
How can I block the expansion of the entities in simpleframework?
Thank you very much!
E.
|
