4 Replies Latest reply on Jan 9, 2014 4:27 AM by RokoA

    StAX XMLInputFactory cannot create more than 64000 readers [JDK 1.7.0_45]

    Borislav.Andruschuk

      Hi all,

       

      I was trying to report a bug few times on http://bugreport.sun.com/bugreport/ but report submission fails all the time, I tried on different browsers - nothing works. I assume there are some technical difficulties with bug reporting system right now therefore I decided to post my issue and possible workarounds here. If somebody can help me to move this issue to bug database I'll appreciate that.

       

      Description:

       

      After upgrading to 1.7.0_45 we have noticed that StAX XMLInputFactory started throwing an exception on reader creation for our simple XML messages. After some investigation, we found that all XML readers share the same XMLSecurityManager and the same XMLLimitAnalyzer with its aggregated total entity expansion counter. It is my understanding that the counter is supposed to be local per reader and not shared across all of them.

       

      The default entity expansion limit is 64000 and if XMLInputFactory tries to create more than 64000 readers It fails because XMLLimitanalyzer total counter is accumulated and at some point exceeds the limit.

       

      OS version:

       

      I assume It should be related to all OS versions, checked only MacOS and RHEL

       

      Development Kit or Runtime version:


      java version "1.7.0_45"

      Java(TM) SE Runtime Environment (build 1.7.0_45-b18)

      Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)

       

      Regression information:


      Test case defined below works on prior JDK versions to 1.7.0_45


      Steps to Reproduce:


      1. create XMLInputFactory

       

      XMLInputFactory factory = XMLInputFactory.newInstance();

       

      2. create XMLEventReader:

       

      factory.createXMLEventReader(stream);

       

      3. repeat step 2 64001 times (default entity expansion limit is 64000)

       

      Expected Result:


      XMLInputFactory should be able to create as many XMLReaders as requested

       

      Actual Result:


      JAXP00010001 error


      Error Message(s):

       

      Exception in thread "main" javax.xml.stream.XMLStreamException: ParseError at [row,col]:[1,1]

      Message: JAXP00010001: The parser has encountered more than "64000" entity expansions in this document; this is the limit imposed by the JDK.

      at com.sun.org.apache.xerces.internal.impl.XMLStreamReaderImpl.setInputSource(XMLStreamReaderImpl.java:219)

      at com.sun.org.apache.xerces.internal.impl.XMLStreamReaderImpl.<init>(XMLStreamReaderImpl.java:189)

      at com.sun.xml.internal.stream.XMLInputFactoryImpl.getXMLStreamReaderImpl(XMLInputFactoryImpl.java:277)

      at com.sun.xml.internal.stream.XMLInputFactoryImpl.createXMLStreamReader(XMLInputFactoryImpl.java:129)

      at com.sun.xml.internal.stream.XMLInputFactoryImpl.createXMLEventReader(XMLInputFactoryImpl.java:78)

      at Main.main(Main.java:38)

       

      Source code for an executable test case:


      import java.io.ByteArrayInputStream;

       

      import javax.xml.stream.XMLInputFactory;

       

      public class Main {

       

          public static void main(String[] args) throws Exception {

       

              String xml = "<?xml version=\"1.0\"?><test></test>";

       

              XMLInputFactory factory = XMLInputFactory.newInstance();

       

              for (int i = 0; i < 64001; i++) {

       

                  ByteArrayInputStream stream = new ByteArrayInputStream(xml.getBytes());

                  factory.createXMLEventReader(stream);

              }

          }

      }

       

      Workaround:

       

      The workaround is to disable FPS or entity expansion limit (be careful now your code can be vulnerable to denial of service attack, see replies on Bug ID: JDK-4843787 org.xml.sax.SAXException was thrown when parsing large file )

       

      - set system property jdk.xml.entityExpansionLimit to 0

      - disable FPS in XMLSecurityManager for XMLInputFactory:

       

              XMLInputFactory factory = XMLInputFactory.newInstance();

              XMLSecurityManager securityManager = new XMLSecurityManager(false);

              factory.setProperty("http://apache.org/xml/properties/security-manager", securityManager);